Swamped by User / Password Guessing Scripts

crankshaft

We are absolutely swamped by hacking attempts to guess user id and passwords.

Mar  4 10:14:12 kopano kopano-gateway[28665]: HrLogon server "http://localhost:236/" user "thirteen": logon failed

Normally I would be able to create a fail2ban rule to ban these requests but they are all coming in on localhost and it’s therefore impossible to get their IP address and ban them.

Is there a solution for this ??

JungleMarc

What ports/services do you have exposed to the Internet?

Is it possible someone is doing reverse port forwarding through SSH?

You use a router, right? Could you gain logs details of which IP addresses are able to communicate with your server?

How the hell could someone reach out to your localhost?! Process of elimination. Inspect all services you expose publicly, and which services is being used on your system. I never expose port 236.

Change all your credentials, keep a close eye to your logs.

Also, once you sort out fail2ban, maybe a router on pfsense could help you do geolocation blocking, for certain ports, as a way to prevent future problems.

crankshaft

@junglemarc - Thanks, SSH port is not exposed, but why is the gateway even listening on localhost ?

crankshaft

@crankshaft - OK, I just closed off all ports and these connections are coming through port 25.

I have closed all ports, and only opened 25 and as soon as I open the port, these login attempts resume.

It seems that the connection is initiated through postfix.

thctlo

@crankshaft said in Swamped by User / Password Guessing Scripts:

t seems that the connection is initiated through postfix.

Setup postscreen in postfix… that will stop 90%+ of these messages…
I’ll give you and example of what i run.

### Before-220 tests (postscreen / DNSBL)
postscreen_tls_security_level=encrypt
postscreen_greet_banner =
    $myhostname, checking blacklists, please wait.
postscreen_greet_action = enforce
postscreen_greet_wait = 5s
postscreen_greet_ttl = 2d
postscreen_access_list =
    permit_mynetworks,
    cidr:/etc/postfix/personal/postscreen_access_list.cidr,
postscreen_whitelist_interfaces = $mynetworks, static:all
postscreen_blacklist_action     = drop
postscreen_dnsbl_reply_map      = pcre:/etc/postfix/personal/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_action         = enforce
postscreen_dnsbl_ttl            = 2h
postscreen_dnsbl_threshold      = 7
postscreen_dnsbl_sites =
        zen.spamhaus.org*5
        b.barracudacentral.org=127.0.0.2*2
        dnsbl.cobion.com*2
        bl.spameatingmonkey.net*2
        fresh.spameatingmonkey.net*2
        rhsbl.rbl.polspam.pl=127.0.0.1*2
        rbl.rbldns.ru=127.0.0.1*1
        bl.0spam.org*1
        wl.0spam.org
        dnsbl.kempt.net*1
        dnsbl.inps.de*2
        bl.spamcop.net*2
        spam.dnsbl.sorbs.net=127.0.0.6*2
        problems.sorbs.net=127.0.0.6*2
        new.spam.sorbs.net=127.0.0.6*2
        psbl.surriel.com*2
        bl.mailspike.net*2
        rep.mailspike.net=127.0.0.[13;14]*1
        bl.suomispam.net*1
        bl.blocklist.de*2
        ix.dnsbl.manitu.net*2
        dnsbl-1.uceprotect.net*1
        dnsbl-2.uceprotect.net*1
        dnsbl.justspam.org=127.0.0.2*2
        multi.surbl.org*2
        black.junkemailfilter.com=127.0.0.2*2
        rbl.metunet.com=127.0.0.2*2
        all.s5h.net=127.0.0.2*1
        hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
        rbl.abuse.ro=127.0.0.[2;4]*2
        gl.suomispam.net=127.0.0.2*1
        truncate.gbudb.net=127.0.0.2*1
        dnsbl.zapbl.net=127.0.0.2*1
        spamsources.fabel.dk=127.0.0.2*1
        rbl.interserver.net=127.0.0.2*2
        dnsbl.spfbl.net=127.0.0.[2;4]*2
        dnsbl-3.uceprotect.net=127.0.0.2*2
        rhsbl-h.rbl.polspam.pl=127.0.0.2*2
        black.dnsbl.brukalai.lt=127.0.0.2*2
        # No RDNS
        dnsbl.spfbl.net=127.0.0.3*1
        hostkarma.junkemailfilter.com=127.0.0.3*1
        # whitelists
        wl.0spam.org*-3
        swl.spamhaus.org*-6
        dnswl.spfbl.net=127.0.0.[2;3;4]*-3
        list.dnswl.org=127.0.[0..254].[0..3]*-4
        rep.mailspike.net=127.0.0.[17;18]*-1
        rep.mailspike.net=127.0.0.[19;20]*-2
        hostkarma.junkemailfilter.com=127.0.0.1*-4
        nobl.junkemailfilter.com=127.0.0.5*-4
#
### End of before-220 tests
### After-220 tests
### WARNING -- See "Tests after the 220 SMTP server greeting" in the
### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the
### following tests! This basically enables some kind of greylisting!
#postscreen_bare_newline_action = enforce
#postscreen_bare_newline_enable = yes
#postscreen_non_smtp_command_enable = yes
#postscreen_pipelining_enable = yes
### ADDENDUM: Any one of the foregoing three *_enable settings may cause
### significant and annoying mail delays. 

 /etc/postfix/personal/postscreen_access_list.cidr
#############################################
# Postscreen allow lists in CIDR format.
#############################################
## SMTP Test servers
74.115.12.0/24          permit
89.185.38.0/24          permit
# https://www.htbridge.com/ssl/
70.38.125.0/24          permit
# ssl-tools.net
185.55.116.145          permit
# cryptcheck.imirhil.fr
163.172.46.173          permit
163.172.218.10          permit
163.172.141.88          permit
# email securitygrader.com
192.69.1.114            permit
207.115.110.69          permit
# immuniweb.com tests
192.175.111.224/27      permit
64.15.129.96/27         permit
70.38.27.240/28         permit
72.55.136.144/28        permit
72.55.136.192/28        permit
79.141.85.24/29         permit
#############################################

/etc/postfix/personal/postscreen_dnsbl_reply_map.pcre
# We will be rejecting much mail which is listed in multiple DNSBLs.
# We're not proud of some of the lists we are using, thus have given
# them lower scores in postscreen_dnsbl_sites listing. So this checks
# the DNSBL name postscreen(8) gets from dnsblog(8), and if it's not
# one of our Tier 1 DNSBL sites, it changes what the sender will see:
#
##
## Changed to fake name, so all get "multiple dns-base blocklists."
!/^fakename\.spamhaus\.org$/         multiple DNS-based blocklists, please check http://multirbl.valli.org/

crankshaft

OK, I found it starts when I enable this:

# https://wiki.zarafa.com/index.php/SMTP-Auth_for_IMAP_users
smtpd_sasl_auth_enable            = yes
smtpd_sasl_path                   = smtpd

thctlo

@crankshaft said in Swamped by User / Password Guessing Scripts:

https://wiki.zarafa.com/index.php/SMTP-Auth_for_IMAP_users

Thats more easy, enable in fail2ban postfix-sasl should stop it also.

crankshaft

I still don’t understand why the gateway is listening on localhost:236 !

Do you know if this is this the normal setup and if not how can I change it ?

I commented out this:

# smtpd_sasl_auth_enable            = yes
# smtpd_sasl_path                   = smtpd

And restarted postix but I am still getting:

Mar  5 17:05:40 kopano kopano-gateway[795]: HrLogon server "http://localhost:236/" user "350@com.sg": logon failed
Mar  5 17:05:40 kopano kopano-gateway[795]: Failed to login from [[::ffff:127.0.0.1]:36652] with invalid username "350@com.sg" or wrong password: logon failed (80040111)
Mar  5 17:05:41 kopano postfix/submission/smtpd[14574]: warning: unknown[5.34.207.28]: SASL LOGIN authentication failed: authentication failure
Mar  5 17:05:41 kopano kopano-gateway[795]: HrProcessCommand threw KMAPIError: network error. (errno=Broken pipe)
Mar  5 17:05:42 kopano postfix/submission/smtpd[14574]: disconnect from unknown[5.34.207.28] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4

JungleMarc

I think you want to keep sasl auth enabled, you don’t want to let anyone the ability to use the smtp service, only the client machines with proper login/pass

You also have the ability to block ip addresses out of the firewall of the distro you are on.

Here’s a tutorial for fail2ban on postfix

https://importgeek.wordpress.com/2017/01/15/fail2ban-prevent-postfix-brute-force/

Also it is normal for kopano-gateway to listen to ports on the localhost, it is good you are working your way up on identifying the ip addresses attempting to connect.

But this is good you are making progress - you can identify the IP addresses trying to connect. For sure fail2ban is a good way to fix this.

crankshaft

OK, I found that fail2ban was crashing and blocking & unblocking every 10 minutes and ignoring the bantimes that I had set.

I was unable to find the cause of the crash:

ERROR  NOK: ("invalid literal for int() with base 10: 'None'",)

Googling it suggested that it was caused by additional spaces between the variable = value but even after going thru the jail.local I could not find the problem.

So I uninstalled the default repo version and installed the latest from the github repo and things are sooo much better now.

mapo

@crankshaft said:

I still don’t understand why the gateway is listening on localhost:236 !

This isn’t the gateway port, it’s the kopano-server listening port 236 which authenticates SMTP user credentials. The gateway connects to kopano-server service listening on a localhost port 236 (HrLogon server). That’s why log says it’s from a localhost.

Do you really need POP3/IMAP access to your server? I usually disable SMTP authentication on internet facing servers and users connect only through HTTPS (TLS) via Webapp and ActiveSync. Authentication with client certificates are mandatory for both - installed on mobile devices and desktops. Pretty safe configuration…

regards,
MaPo

crankshaft

@mapo - Thanks - IMAP is the default for us, we all use Thunderbird IMAP, the webapp was enabled (I just disabled it) but Thunderbird is preferred due to the ability to have multiple email accounts, identities etc etc