hacking attempts with spoofed IP address



  • I already have fail2ban in place looking at z-push, kopano-gateway and kopano-webapp logs, but one of the problems I am facing is that it appears that one of the attacks is spoofing it’s IP address as 127.0.0.1 and localhost:

    As you can see from the following log / hack attempt, the connection to kopano-gateway appears to be coming from localhost ?? - so is this really coming from localhost and if so where, or is it a spoofed IP address ??

    Sep 25 08:54:15 kopano postfix/smtpd[19267]: connect from unknown[102.165.35.28]
    Sep 25 08:54:17 kopano kopano-server[1346]: Authentication by plugin failed for user "xxx": Trying to authenticate failed: wrong username or password
    Sep 25 08:54:17 kopano kopano-gateway[834]: HrLogon server "http://localhost:236/" user "xxx": logon failed
    Sep 25 08:54:17 kopano kopano-gateway[834]: Failed to login from [[::ffff:127.0.0.1]:33918] with invalid username "xxx" or wrong password: logon failed (80040111)
    Sep 25 08:54:18 kopano kopano-gateway[834]: Connection error.
    

    As far as I can tell there is just no way for me to trap this hack attempt and block it, as I cannot block localhost / 127.0.0.1 ?!

    Any help is welcome !



  • Hi @crankshaft,

    how often do you experience this behaviour? Did you try to find out if there is any local process connecting to kopano-gateway? Which services are active within kopano-gateway (pop(s), imap(s)) another process could try to connect to?



  • Hi;

    No, no other services connecting to the gateway on the server, we are using IMAP and z-push, but that’s all.

    My suspicion is that the hacker is spoofing their IP address,.

    Like most people, we are under constant attack 24x7 x 365 days, script-kiddies looking for PHP exploits, and trying to guess SASL etc passwords.

    I have jails/filters setup to catch all of these and they work well, the only one I cannot trap is this attempt to login with localhost IP address !

    Thanks



  • Hi @crankshaft,

    ok. What system are you on? Is source address verification/reverse path filtering switched on?



  • Hi @crankshaft,

    did you solve your problem?


Log in to reply