Navigation

    Kopano
    • Register
    • Login
    • Search
    • Categories
    • Get Official Kopano Support
    • Recent
    Statement regarding the closure of the Kopano community forum and the end of the community edition

    Swamped by User / Password Guessing Scripts

    Kopano Groupware Core
    4
    12
    590
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JungleMarc
      JungleMarc @crankshaft last edited by

      What ports/services do you have exposed to the Internet?

      Is it possible someone is doing reverse port forwarding through SSH?

      You use a router, right? Could you gain logs details of which IP addresses are able to communicate with your server?

      How the hell could someone reach out to your localhost?! Process of elimination. Inspect all services you expose publicly, and which services is being used on your system. I never expose port 236.

      Change all your credentials, keep a close eye to your logs.

      Also, once you sort out fail2ban, maybe a router on pfsense could help you do geolocation blocking, for certain ports, as a way to prevent future problems.

      crankshaft 1 Reply Last reply Reply Quote 0
      • crankshaft
        crankshaft @JungleMarc last edited by

        @junglemarc - Thanks, SSH port is not exposed, but why is the gateway even listening on localhost ?

        crankshaft 1 Reply Last reply Reply Quote 0
        • crankshaft
          crankshaft @crankshaft last edited by crankshaft

          @crankshaft - OK, I just closed off all ports and these connections are coming through port 25.

          I have closed all ports, and only opened 25 and as soon as I open the port, these login attempts resume.

          It seems that the connection is initiated through postfix.

          thctlo 1 Reply Last reply Reply Quote 0
          • thctlo
            thctlo @crankshaft last edited by

            @crankshaft said in Swamped by User / Password Guessing Scripts:

            t seems that the connection is initiated through postfix.

            Setup postscreen in postfix… that will stop 90%+ of these messages…
            I’ll give you and example of what i run.

            ### Before-220 tests (postscreen / DNSBL)
postscreen_tls_security_level=encrypt
postscreen_greet_banner =
    $myhostname, checking blacklists, please wait.
postscreen_greet_action = enforce
postscreen_greet_wait = 5s
postscreen_greet_ttl = 2d
postscreen_access_list =
    permit_mynetworks,
    cidr:/etc/postfix/personal/postscreen_access_list.cidr,
postscreen_whitelist_interfaces = $mynetworks, static:all
postscreen_blacklist_action     = drop
postscreen_dnsbl_reply_map      = pcre:/etc/postfix/personal/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_action         = enforce
postscreen_dnsbl_ttl            = 2h
postscreen_dnsbl_threshold      = 7
postscreen_dnsbl_sites =
        zen.spamhaus.org*5
        b.barracudacentral.org=127.0.0.2*2
        dnsbl.cobion.com*2
        bl.spameatingmonkey.net*2
        fresh.spameatingmonkey.net*2
        rhsbl.rbl.polspam.pl=127.0.0.1*2
        rbl.rbldns.ru=127.0.0.1*1
        bl.0spam.org*1
        wl.0spam.org
        dnsbl.kempt.net*1
        dnsbl.inps.de*2
        bl.spamcop.net*2
        spam.dnsbl.sorbs.net=127.0.0.6*2
        problems.sorbs.net=127.0.0.6*2
        new.spam.sorbs.net=127.0.0.6*2
        psbl.surriel.com*2
        bl.mailspike.net*2
        rep.mailspike.net=127.0.0.[13;14]*1
        bl.suomispam.net*1
        bl.blocklist.de*2
        ix.dnsbl.manitu.net*2
        dnsbl-1.uceprotect.net*1
        dnsbl-2.uceprotect.net*1
        dnsbl.justspam.org=127.0.0.2*2
        multi.surbl.org*2
        black.junkemailfilter.com=127.0.0.2*2
        rbl.metunet.com=127.0.0.2*2
        all.s5h.net=127.0.0.2*1
        hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
        rbl.abuse.ro=127.0.0.[2;4]*2
        gl.suomispam.net=127.0.0.2*1
        truncate.gbudb.net=127.0.0.2*1
        dnsbl.zapbl.net=127.0.0.2*1
        spamsources.fabel.dk=127.0.0.2*1
        rbl.interserver.net=127.0.0.2*2
        dnsbl.spfbl.net=127.0.0.[2;4]*2
        dnsbl-3.uceprotect.net=127.0.0.2*2
        rhsbl-h.rbl.polspam.pl=127.0.0.2*2
        black.dnsbl.brukalai.lt=127.0.0.2*2
        # No RDNS
        dnsbl.spfbl.net=127.0.0.3*1
        hostkarma.junkemailfilter.com=127.0.0.3*1
        # whitelists
        wl.0spam.org*-3
        swl.spamhaus.org*-6
        dnswl.spfbl.net=127.0.0.[2;3;4]*-3
        list.dnswl.org=127.0.[0..254].[0..3]*-4
        rep.mailspike.net=127.0.0.[17;18]*-1
        rep.mailspike.net=127.0.0.[19;20]*-2
        hostkarma.junkemailfilter.com=127.0.0.1*-4
        nobl.junkemailfilter.com=127.0.0.5*-4
#
### End of before-220 tests
### After-220 tests
### WARNING -- See "Tests after the 220 SMTP server greeting" in the
### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the
### following tests! This basically enables some kind of greylisting!
#postscreen_bare_newline_action = enforce
#postscreen_bare_newline_enable = yes
#postscreen_non_smtp_command_enable = yes
#postscreen_pipelining_enable = yes
### ADDENDUM: Any one of the foregoing three *_enable settings may cause
### significant and annoying mail delays. 

             /etc/postfix/personal/postscreen_access_list.cidr
#############################################
# Postscreen allow lists in CIDR format.
#############################################
## SMTP Test servers
74.115.12.0/24          permit
89.185.38.0/24          permit
# https://www.htbridge.com/ssl/
70.38.125.0/24          permit
# ssl-tools.net
185.55.116.145          permit
# cryptcheck.imirhil.fr
163.172.46.173          permit
163.172.218.10          permit
163.172.141.88          permit
# email securitygrader.com
192.69.1.114            permit
207.115.110.69          permit
# immuniweb.com tests
192.175.111.224/27      permit
64.15.129.96/27         permit
70.38.27.240/28         permit
72.55.136.144/28        permit
72.55.136.192/28        permit
79.141.85.24/29         permit
#############################################

            /etc/postfix/personal/postscreen_dnsbl_reply_map.pcre
# We will be rejecting much mail which is listed in multiple DNSBLs.
# We're not proud of some of the lists we are using, thus have given
# them lower scores in postscreen_dnsbl_sites listing. So this checks
# the DNSBL name postscreen(8) gets from dnsblog(8), and if it's not
# one of our Tier 1 DNSBL sites, it changes what the sender will see:
#
##
## Changed to fake name, so all get "multiple dns-base blocklists."
!/^fakename\.spamhaus\.org$/         multiple DNS-based blocklists, please check http://multirbl.valli.org/
            1 Reply Last reply Reply Quote 0
            • crankshaft
              crankshaft last edited by

              OK, I found it starts when I enable this:

              # https://wiki.zarafa.com/index.php/SMTP-Auth_for_IMAP_users
smtpd_sasl_auth_enable            = yes
smtpd_sasl_path                   = smtpd
              thctlo 1 Reply Last reply Reply Quote 0
              • thctlo
                thctlo @crankshaft last edited by

                @crankshaft said in Swamped by User / Password Guessing Scripts:

                https://wiki.zarafa.com/index.php/SMTP-Auth_for_IMAP_users

                Thats more easy, enable in fail2ban postfix-sasl should stop it also.

                crankshaft 1 Reply Last reply Reply Quote 1
                • crankshaft
                  crankshaft @thctlo last edited by crankshaft

                  I still don’t understand why the gateway is listening on localhost:236 !

                  Do you know if this is this the normal setup and if not how can I change it ?

                  I commented out this:

                  # smtpd_sasl_auth_enable            = yes
# smtpd_sasl_path                   = smtpd

                  And restarted postix but I am still getting:

                  Mar  5 17:05:40 kopano kopano-gateway[795]: HrLogon server "http://localhost:236/" user "350@com.sg": logon failed
Mar  5 17:05:40 kopano kopano-gateway[795]: Failed to login from [[::ffff:127.0.0.1]:36652] with invalid username "350@com.sg" or wrong password: logon failed (80040111)
Mar  5 17:05:41 kopano postfix/submission/smtpd[14574]: warning: unknown[5.34.207.28]: SASL LOGIN authentication failed: authentication failure
Mar  5 17:05:41 kopano kopano-gateway[795]: HrProcessCommand threw KMAPIError: network error. (errno=Broken pipe)
Mar  5 17:05:42 kopano postfix/submission/smtpd[14574]: disconnect from unknown[5.34.207.28] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
                  JungleMarc mapo 2 Replies Last reply Reply Quote 0
                  • JungleMarc
                    JungleMarc @crankshaft last edited by JungleMarc

                    I think you want to keep sasl auth enabled, you don’t want to let anyone the ability to use the smtp service, only the client machines with proper login/pass

                    You also have the ability to block ip addresses out of the firewall of the distro you are on.

                    Here’s a tutorial for fail2ban on postfix

                    https://importgeek.wordpress.com/2017/01/15/fail2ban-prevent-postfix-brute-force/

                    Also it is normal for kopano-gateway to listen to ports on the localhost, it is good you are working your way up on identifying the ip addresses attempting to connect.

                    But this is good you are making progress - you can identify the IP addresses trying to connect. For sure fail2ban is a good way to fix this.

                    1 Reply Last reply Reply Quote 0
                    • crankshaft
                      crankshaft last edited by

                      OK, I found that fail2ban was crashing and blocking & unblocking every 10 minutes and ignoring the bantimes that I had set.

                      I was unable to find the cause of the crash:

                      ERROR  NOK: ("invalid literal for int() with base 10: 'None'",)

                      Googling it suggested that it was caused by additional spaces between the variable = value but even after going thru the jail.local I could not find the problem.

                      So I uninstalled the default repo version and installed the latest from the github repo and things are sooo much better now.

                      1 Reply Last reply Reply Quote 0
                      • mapo
                        mapo @crankshaft last edited by mapo

                        @crankshaft said:

                        I still don’t understand why the gateway is listening on localhost:236 !

                        This isn’t the gateway port, it’s the kopano-server listening port 236 which authenticates SMTP user credentials. The gateway connects to kopano-server service listening on a localhost port 236 (HrLogon server). That’s why log says it’s from a localhost.

                        Do you really need POP3/IMAP access to your server? I usually disable SMTP authentication on internet facing servers and users connect only through HTTPS (TLS) via Webapp and ActiveSync. Authentication with client certificates are mandatory for both - installed on mobile devices and desktops. Pretty safe configuration…

                        regards,
                        MaPo

                        crankshaft 1 Reply Last reply Reply Quote 0
                        • crankshaft
                          crankshaft @mapo last edited by

                          @mapo - Thanks - IMAP is the default for us, we all use Thunderbird IMAP, the webapp was enabled (I just disabled it) but Thunderbird is preferred due to the ability to have multiple email accounts, identities etc etc

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post