Re: [Dovecot] POP3 dictionary attacks
Bruce Bodger wrote: On Aug 15, 2008, at 5:39 PM, Charles Marcus wrote: You're kidding, right? Dictionary attacks are a fact of life these days. Just install some kind of blocking on your firewall (fail2ban is a good one), and let it take care of the worst of it... just make sure to get the expressions right. fail2ban will not work for this as the incoming ip addresses are spoofed. fail2ban would end up blocking legitimate servers. It doesn't matter. if a tcp attack involves a (remote) IP, you can block that IP (for some period of time). there's nothing else you can do unless you're ready to let it test all possible login:password pairs until it succeeds. in particular, if this is an asymetric routing attack, then the attacker has some control of the remote IP or of its network. in which case, the IP is dirty. as for tcp hijacking, this is not so simple, and if it becomes easy, then we have a more serious problem than pop or smtp security...
[Dovecot] POP3 dictionary attacks
I'm seeing strings of failed POP3 login attempts with obvious bogus usernames coming from different IP addresses. Today's originated from 216.31.146.19 (which resolves to neovisionlabs.com). This looks like a botnet attack. I got a similar probe a couple days ago. Is anyone else seeing these? The attack involves trying about 20 different names, about 3-4 seconds apart. Here's a few sample log lines: dovecot: Aug 15 04:15:45 Error: auth-worker(default): pam(mike,216.31.146.19): pam_authenticate() failed: User not known to the underlying authentication module dovecot: Aug 15 04:15:49 Error: auth-worker(default): pam(alan,216.31.146.19): pam_authenticate() failed: User not known to the underlying authentication module dovecot: Aug 15 04:15:53 Error: auth-worker(default): pam(info,216.31.146.19): pam_authenticate() failed: User not known to the underlying authentication module dovecot: Aug 15 04:15:57 Error: auth-worker(default): pam(shop,216.31.146.19): pam_authenticate() failed: User not known to the underlying authentication module Timo, can you add the port used in the attempt to the error log entry? (It does show up in the info log entry, but that means I need to correlate lines in the two log files.)
Re: [Dovecot] POP3 dictionary attacks
On 8/15/2008, Kenneth Porter ([EMAIL PROTECTED]) wrote: I'm seeing strings of failed POP3 login attempts with obvious bogus usernames coming from different IP addresses. Today's originated from 216.31.146.19 (which resolves to neovisionlabs.com). This looks like a botnet attack. I got a similar probe a couple days ago. Is anyone else seeing these? You're kidding, right? Dictionary attacks are a fact of life these days. Just install some kind of blocking on your firewall (fail2ban is a good one), and let it take care of the worst of it... -- Best regards, Charles
Re: [Dovecot] POP3 dictionary attacks
Charles Marcus wrote: Dictionary attacks are a fact of life these days. Just install some kind of blocking on your firewall (fail2ban is a good one), and let it take care of the worst of it.. I wonder what they want by cracking a POP3 server. Read the user's mails? It's true POP3 passwords are almost always equal to SMTP ones (which is useful for spamming), but then why not try to crack the SMTP server directly? -- The bomb will never go off. I speak as an expert in explosives. -- Admiral William Leahy, U.S. Atomic Bomb Project Eduardo M KALINOWSKI [EMAIL PROTECTED] http://move.to/hpkb
Re: [Dovecot] POP3 dictionary attacks
On Aug 15, 2008, at 5:39 PM, Charles Marcus wrote: You're kidding, right? Dictionary attacks are a fact of life these days. Just install some kind of blocking on your firewall (fail2ban is a good one), and let it take care of the worst of it... fail2ban will not work for this as the incoming ip addresses are spoofed. fail2ban would end up blocking legitimate servers. B. Bodger
Re: [Dovecot] POP3 dictionary attacks
On Friday, August 15, 2008 5:39 PM -0400 Charles Marcus [EMAIL PROTECTED] wrote: Just install some kind of blocking on your firewall (fail2ban is a good one), and let it take care of the worst of it... Thanks, researching it now Looks like an RPM might be available for CentOS 5. There's a HOWTO here for configuring it with iptables: http://www.the-art-of-web.com/system/fail2ban/
Re: [Dovecot] POP3 dictionary attacks
Eduardo M KALINOWSKI wrote: Charles Marcus wrote: Dictionary attacks are a fact of life these days. Just install some kind of blocking on your firewall (fail2ban is a good one), and let it take care of the worst of it.. I wonder what they want by cracking a POP3 server. Read the user's mails? It's true POP3 passwords are almost always equal to SMTP ones (which is useful for spamming), but then why not try to crack the SMTP server directly? There may not be anything interesting in the user's inbox initially, but there might be after the attacker starts sending password reminders from eBay, Paypal, etc.
Re: [Dovecot] POP3 dictionary attacks
--On Friday, August 15, 2008 5:51 PM -0400 Bruce Bodger [EMAIL PROTECTED] wrote: fail2ban will not work for this as the incoming ip addresses are spoofed. fail2ban would end up blocking legitimate servers. How do you spoof a source address on a TCP connection? I was unaware that was possible. How would replies know how to get back to the spoofing host? At best, you can spoof another host on your own routed segment. Unless you have control of the routing tables on the connecting routers, of course.
Re: [Dovecot] POP3 dictionary attacks
On Fri, Aug 15, 2008 at 06:43:30PM -0300, Eduardo M KALINOWSKI wrote: Charles Marcus wrote: Dictionary attacks are a fact of life these days. Just install some kind of blocking on your firewall (fail2ban is a good one), and let it take care of the worst of it.. I wonder what they want by cracking a POP3 server. Read the user's mails? It's true POP3 passwords are almost always equal to SMTP ones (which is useful for spamming), but then why not try to crack the SMTP server directly? One reason is so that they can get SMTP AUTH information and then sell the username/password pairs to spammers. Open relays are much more rare nowadays, so having a legitimate pre-existing account that can be used for outbound spam is worth much more than opening a new hotmail or gmail account. Especially through smaller ISPs that may not have adequate outbound mail rate-limits in place. A single hijacked mail account through a small ISP without rate-limits can be used to send an incredible amount of spam before it's caught. -- Dean Brooks [EMAIL PROTECTED]
Re: [Dovecot] POP3 dictionary attacks
Kenneth Porter wrote: --On Friday, August 15, 2008 5:51 PM -0400 Bruce Bodger bruce.bodger at demval.com wrote: fail2ban will not work for this as the incoming ip addresses are spoofed. fail2ban would end up blocking legitimate servers. How do you spoof a source address on a TCP connection? I was unaware that was possible. How would replies know how to get back to the spoofing host? At best, you can spoof another host on your own routed segment. Unless you have control of the routing tables on the connecting routers, of course. Exactly. These days, IP spoofing is most useful to hide the identity of the perpetrator of a DoS attack. It certainly is not applicable to a dictionary attack on POP3 or other logins since with a spoofed IP, the perpetrator will never see the response to determine if the login attempt was successful. -- Mark Sapiro [EMAIL PROTECTED]The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan
