Re: Is my server mail account being attacted?

[li...@lazygranch.com]

On Thu, 20 Oct 2016 17:13:26 -0400
"Bill Cole"  wrote:

> On 20 Oct 2016, at 16:39, Keith Williams wrote:
> 
> > No wait... What?
> >
> > This is no attack. Attack is when you try to break or enforce..
> > This is a probe, and from the probe we can deduce from the reported 
> > disconnect that 1. helo was tried, 2. no auth was attempted and 3, 
> > quit was used.
> >
> > So a test for helo and quit? and no auth.  
> 
> No. The "auth=0/1" in the disconnect line means that Postfix received
> 1 authentication attempt but it failed. This was a "probe" to see if
> a particular user exists and has a particular password.
> 
> > Someone is testing your IP and mail capibility.. perhaps>>  
> 
> Not stipulating that unauthorized "probes" are not also block-worthy, 
> but this is a bit more.
> 
> > On 20/10/2016 22:20, Bill Cole wrote:  
> >> On 18 Oct 2016, at 20:45, Sebastian Nielsen wrote:
> >>  
> >>> Its clear from the log, the attacker isn't even attemping to 
> >>> authenticate (0 attempts). The attacker hasn't propably not even 
> >>> realized he is connecting to a mail server.  
> >>
> >>
> >> No. There's a jumble there, but at least one is a lame "attack" of
> >> a sort. The only *Postfix* messages were:
> >>  
> >>> Oct 19 07:55:27 mail postfix/smtpd[9929]: connect from 
> >>> unknown[216.15.186.126]
> >>> Oct 19 07:55:28 mail postfix/smtpd[9929]: disconnect from 
> >>> unknown[216.15.186.126] helo=1 auth=0/1 quit=1 commands=2/3  
> >>
> >> *THAT* client tried to authenticate and failed. It's a CBL-listed
> >> IP on a chronically abuse-friendly network.
> >>
> >> The rest were all messages from Dovecot components, about failed
> >> SSL connections from a mix of IPs. Impossible to know what the
> >> reasons for those were without tracking down the person running
> >> the computer. 
> >  

Follow up. Different IP, same deal, but I added some error slowing
settings. 

#lines added after hacker attack
smtpd_soft_error_limit = 3
smtpd_error_sleep_time = 10s
smtpd_hard_error_limit = 6
smtpd_client_auth_rate_limit = 20
smtpd_client_connection_count_limit = 5
smtpd_client_connection_rate_limit = 20
smtpd_client_new_tls_session_rate_limit = 20
smtpd_client_recipient_rate_limit = 10
smtpd_recipient_limit = 10


maillog.4.bz2:Nov 19 12:40:43 theranch postfix/submission/smtpd[22648]: 
disconnect from unknown[172.56.38.118] ehlo=2 starttls=1 auth=1 quit=1 
commands=5
maillog.4.bz2:Nov 19 12:40:43 theranch postfix/submission/smtpd[22655]: 
disconnect from unknown[172.56.38.118] ehlo=2 starttls=1 auth=1 quit=1 
commands=5
maillog.4.bz2:Nov 19 12:40:43 theranch postfix/submission/smtpd[22653]: 
disconnect from unknown[172.56.38.118] ehlo=2 starttls=1 auth=1 quit=1 
commands=5
maillog.4.bz2:Nov 19 12:44:59 theranch postfix/anvil[22634]: statistics: max 
connection rate 9/60s for (submission:172.56.38.118) at Nov 19 12:40:23
maillog.4.bz2:Nov 19 12:44:59 theranch postfix/anvil[22634]: statistics: max 
connection count 6 for (submission:172.56.38.118) at Nov 19 12:40:20
maillog.4.bz2:Nov 19 12:44:59 theranch postfix/anvil[22634]: statistics: max 
newtls rate 5/60s for (submission:172.56.38.118) at Nov 19 12:40:20
maillog.4.bz2:Nov 19 12:44:59 theranch postfix/anvil[22634]: statistics: max 
auth rate 5/60s for (submission:172.56.38.118) at Nov 19 12:40:43

Re: Is my server mail account being attacted?

[vod vos]

Yes, I did not  advertise AUTH in my port 25 smtpd too. when telnet to my mail 
server, it produce like:



telnet 108.61.110.110 25

Trying 108.61.110.110...

Connected to example.com.

Escape character is '^]'.

220 example ESMTP Postfix

ehlo

501 Syntax: EHLO hostname

ehlo mail

250-mail.example

250-PIPELINING

250-SIZE 1024

250-VRFY

250-ETRN

250-STARTTLS

250-ENHANCEDSTATUSCODES

250-8BITMIME

250-DSN

250 SMTPUTF8

AUTH PLAIN

503 5.5.1 Error: authentication not enabled



I am going to add some iptables rules to ban some ip now.


 On 星期四, 20 十月 2016 14:13:26 -0700Bill Cole 
postfixlists-070...@billmail.scconsult.com wrote 




On 20 Oct 2016, at 16:39, Keith Williams wrote: 



 No wait... What? 

 

 This is no attack. Attack is when you try to break or enforce.. This 

 is a probe, and from the probe we can deduce from the reported 

 disconnect that 1. helo was tried, 2. no auth was attempted and 3, 

 quit was used. 

 

 So a test for helo and quit? and no auth. 



No. The "auth=0/1" in the disconnect line means that Postfix received 1 

authentication attempt but it failed. This was a "probe" to see if a 

particular user exists and has a particular password. 



 Someone is testing your IP and mail capibility.. perhaps 



Not stipulating that unauthorized "probes" are not also block-worthy, 

but this is a bit more. 



 On 20/10/2016 22:20, Bill Cole wrote: 

 On 18 Oct 2016, at 20:45, Sebastian Nielsen wrote: 

 

 Its clear from the log, the attacker isn't even attemping to 

 authenticate (0 attempts). The attacker hasn't propably not even 

 realized he is connecting to a mail server. 

 

 

 No. There's a jumble there, but at least one is a lame "attack" of a 

 sort. The only *Postfix* messages were: 

 

 Oct 19 07:55:27 mail postfix/smtpd[9929]: connect from 

 unknown[216.15.186.126] 

 Oct 19 07:55:28 mail postfix/smtpd[9929]: disconnect from 

 unknown[216.15.186.126] helo=1 auth=0/1 quit=1 commands=2/3 

 

 *THAT* client tried to authenticate and failed. It's a CBL-listed IP 

 on a chronically abuse-friendly network. 

 

 The rest were all messages from Dovecot components, about failed SSL 

 connections from a mix of IPs. Impossible to know what the reasons 

 for those were without tracking down the person running the computer. 

 

 

Re: Is my server mail account being attacted?

[Bill Cole]

On 20 Oct 2016, at 16:39, Keith Williams wrote:


No wait... What?

This is no attack. Attack is when you try to break or enforce.. This 
is a probe, and from the probe we can deduce from the reported 
disconnect that 1. helo was tried, 2. no auth was attempted and 3, 
quit was used.


So a test for helo and quit? and no auth.


No. The "auth=0/1" in the disconnect line means that Postfix received 1 
authentication attempt but it failed. This was a "probe" to see if a 
particular user exists and has a particular password.



Someone is testing your IP and mail capibility.. perhaps>>


Not stipulating that unauthorized "probes" are not also block-worthy, 
but this is a bit more.



On 20/10/2016 22:20, Bill Cole wrote:

On 18 Oct 2016, at 20:45, Sebastian Nielsen wrote:

Its clear from the log, the attacker isn't even attemping to 
authenticate (0 attempts). The attacker hasn't propably not even 
realized he is connecting to a mail server.



No. There's a jumble there, but at least one is a lame "attack" of a 
sort. The only *Postfix* messages were:


Oct 19 07:55:27 mail postfix/smtpd[9929]: connect from 
unknown[216.15.186.126]
Oct 19 07:55:28 mail postfix/smtpd[9929]: disconnect from 
unknown[216.15.186.126] helo=1 auth=0/1 quit=1 commands=2/3


*THAT* client tried to authenticate and failed. It's a CBL-listed IP 
on a chronically abuse-friendly network.


The rest were all messages from Dovecot components, about failed SSL 
connections from a mix of IPs. Impossible to know what the reasons 
for those were without tracking down the person running the computer.

Re: Is my server mail account being attacted?

[Bill Cole]

On 18 Oct 2016, at 21:00, vod vos wrote:


So,  how to block this kind of ips?

Does fail2ban work?


Yes, but as Sebastian said, it is possible for fail2ban to block 
innocent users, particularly those SSL errors, which essentially amount 
to connections that were never fully initiated. That's why fail2ban is 
usually set to require multiple matches on a log pattern in a short time 
to ban an IP and only bans an IP temporarily. How much risk that 
represents for any particular system is impossible to know without 
knowing how the system is used and configured. For example, I do not 
advertise AUTH in my port 25 smtpd because everything that might need to 
relay though that system will use the port 587 smtpd, configured to 
handle initial message submission. As a result, I can be absolutely 
certain that anything trying to do AUTH on the port 25 service is a bad 
actor of some sort, using very stupid software. I use something very 
much like fail2ban in principle (but much smaller) to immediately block 
any IP in a line from the port25 smtpd that includes 'auth=0/' 
(indicating an auth failure. I do a similar thing with Dovecot, but ONLY 
for clear authentication failures, not for the sort of SSL initiation 
failures you are seeing. I can do this because I know my user base on 
that system, which is small and stable, and it has nevef banned anyone 
it should not have. On systems that I manage where the user bases are 
larger and more prone to using bad software, configuring their software 
poorly, or stubbornly mis-remembering a password, I have to take a more 
lenient, fail2ban-like approach: multiple failures within a few minutes 
triggers a block lasting less than an hour.

Re: Is my server mail account being attacted?

[Keith Williams]

No wait... What?

This is no attack. Attack is when you try to break or enforce.. This is 
a probe, and from the probe we can deduce from the reported disconnect 
that 1. helo was tried, 2. no auth was attempted and 3, quit was used.


So a test for helo and quit? and no auth.

Someone is testing your IP and mail capibility.. perhaps>>



On 20/10/2016 22:20, Bill Cole wrote:

On 18 Oct 2016, at 20:45, Sebastian Nielsen wrote:

Its clear from the log, the attacker isn't even attemping to 
authenticate (0 attempts). The attacker hasn't propably not even 
realized he is connecting to a mail server.



No. There's a jumble there, but at least one is a lame "attack" of a 
sort. The only *Postfix* messages were:


Oct 19 07:55:27 mail postfix/smtpd[9929]: connect from 
unknown[216.15.186.126]
Oct 19 07:55:28 mail postfix/smtpd[9929]: disconnect from 
unknown[216.15.186.126] helo=1 auth=0/1 quit=1 commands=2/3


*THAT* client tried to authenticate and failed. It's a CBL-listed IP 
on a chronically abuse-friendly network.


The rest were all messages from Dovecot components, about failed SSL 
connections from a mix of IPs. Impossible to know what the reasons for 
those were without tracking down the person running the computer.

Re: Is my server mail account being attacted?

[Bill Cole]

On 18 Oct 2016, at 20:45, Sebastian Nielsen wrote:

Looks rather like a scanning attack (finding vulnerabilities). I think 
they are trying to do a SSL type of attack like HEARTBLEED but your 
server isn't vulnerable.
Looks also like they are sending HTTP requests (encapsulated in 
SSL/TLS) to a mail server, which seems to be a extremely stupid bot 
scanner.


Dovecot supports standard imaps (port 993) and pop3s (port 995) so that 
isn't HTTP and isn't at all strange. If I understand those errors 
correctly (big "if") they are typical of a client making a connection to 
an SSL port and sending something other than a SSL/TLS client hello.

Re: Is my server mail account being attacted?

[Bill Cole]

On 18 Oct 2016, at 20:45, Sebastian Nielsen wrote:

Its clear from the log, the attacker isn't even attemping to 
authenticate (0 attempts). The attacker hasn't propably not even 
realized he is connecting to a mail server.



No. There's a jumble there, but at least one is a lame "attack" of a 
sort. The only *Postfix* messages were:


Oct 19 07:55:27 mail postfix/smtpd[9929]: connect from 
unknown[216.15.186.126]
Oct 19 07:55:28 mail postfix/smtpd[9929]: disconnect from 
unknown[216.15.186.126] helo=1 auth=0/1 quit=1 commands=2/3


*THAT* client tried to authenticate and failed. It's a CBL-listed IP on 
a chronically abuse-friendly network.


The rest were all messages from Dovecot components, about failed SSL 
connections from a mix of IPs. Impossible to know what the reasons for 
those were without tracking down the person running the computer.

Re: Is my server mail account being attacted?

[Sebastian Nielsen]

No, fail2ban would also block legitimate users where the user may have flaky 
connection and doing one or more connections and not authenticating.

The SSL attempts for http could be blocked with fail2ban.

The other SSL attempts attempting to negotiate a old version, may block 
legitimate users trying to auth with an old client.

I would say, the best way to block these types of attacks is to terminate your 
SSL in your firewall, and just block anything not up to standards. Not ban, but 
just block the single transactuion by disconnecting the user. And anything OK 
you just fwd to your mail server unencrypted. Then the firewall takes the bang 
and your mail server receives only clean traffic.

smime.p7s
Description: S/MIME Cryptographic Signature

Re: Is my server mail account being attacted?

[vod vos]

So,  how to block this kind of ips? 



Does fail2ban work?




 On 星期二, 18 十月 2016 17:45:01 -0700Sebastian Nielsen 
sebast...@sebbe.eu wrote 




Looks rather like a scanning attack (finding vulnerabilities). I think they are 
trying to do a SSL type of attack like HEARTBLEED but your server isn't 
vulnerable.

 Looks also like they are sending HTTP requests (encapsulated in SSL/TLS) to a 
mail server, which seems to be a extremely stupid bot scanner.

 

 Its clear from the log, the attacker isn't even attemping to authenticate (0 
attempts). The attacker hasn't propably not even realized he is connecting to a 
mail server.

Re: Is my server mail account being attacted?

[Sebastian Nielsen]

Looks rather like a scanning attack (finding vulnerabilities). I think they are 
trying to do a SSL type of attack like HEARTBLEED but your server isn't 
vulnerable.
Looks also like they are sending HTTP requests (encapsulated in SSL/TLS) to a 
mail server, which seems to be a extremely stupid bot scanner.

Its clear from the log, the attacker isn't even attemping to authenticate (0 
attempts). The attacker hasn't propably not even realized he is connecting to a 
mail server.

smime.p7s
Description: S/MIME Cryptographic Signature