Re: Is my server mail account being attacted?
On Thu, 20 Oct 2016 17:13:26 -0400 "Bill Cole"wrote: > On 20 Oct 2016, at 16:39, Keith Williams wrote: > > > No wait... What? > > > > This is no attack. Attack is when you try to break or enforce.. > > This is a probe, and from the probe we can deduce from the reported > > disconnect that 1. helo was tried, 2. no auth was attempted and 3, > > quit was used. > > > > So a test for helo and quit? and no auth. > > No. The "auth=0/1" in the disconnect line means that Postfix received > 1 authentication attempt but it failed. This was a "probe" to see if > a particular user exists and has a particular password. > > > Someone is testing your IP and mail capibility.. perhaps>> > > Not stipulating that unauthorized "probes" are not also block-worthy, > but this is a bit more. > > > On 20/10/2016 22:20, Bill Cole wrote: > >> On 18 Oct 2016, at 20:45, Sebastian Nielsen wrote: > >> > >>> Its clear from the log, the attacker isn't even attemping to > >>> authenticate (0 attempts). The attacker hasn't propably not even > >>> realized he is connecting to a mail server. > >> > >> > >> No. There's a jumble there, but at least one is a lame "attack" of > >> a sort. The only *Postfix* messages were: > >> > >>> Oct 19 07:55:27 mail postfix/smtpd[9929]: connect from > >>> unknown[216.15.186.126] > >>> Oct 19 07:55:28 mail postfix/smtpd[9929]: disconnect from > >>> unknown[216.15.186.126] helo=1 auth=0/1 quit=1 commands=2/3 > >> > >> *THAT* client tried to authenticate and failed. It's a CBL-listed > >> IP on a chronically abuse-friendly network. > >> > >> The rest were all messages from Dovecot components, about failed > >> SSL connections from a mix of IPs. Impossible to know what the > >> reasons for those were without tracking down the person running > >> the computer. > > Follow up. Different IP, same deal, but I added some error slowing settings. #lines added after hacker attack smtpd_soft_error_limit = 3 smtpd_error_sleep_time = 10s smtpd_hard_error_limit = 6 smtpd_client_auth_rate_limit = 20 smtpd_client_connection_count_limit = 5 smtpd_client_connection_rate_limit = 20 smtpd_client_new_tls_session_rate_limit = 20 smtpd_client_recipient_rate_limit = 10 smtpd_recipient_limit = 10 maillog.4.bz2:Nov 19 12:40:43 theranch postfix/submission/smtpd[22648]: disconnect from unknown[172.56.38.118] ehlo=2 starttls=1 auth=1 quit=1 commands=5 maillog.4.bz2:Nov 19 12:40:43 theranch postfix/submission/smtpd[22655]: disconnect from unknown[172.56.38.118] ehlo=2 starttls=1 auth=1 quit=1 commands=5 maillog.4.bz2:Nov 19 12:40:43 theranch postfix/submission/smtpd[22653]: disconnect from unknown[172.56.38.118] ehlo=2 starttls=1 auth=1 quit=1 commands=5 maillog.4.bz2:Nov 19 12:44:59 theranch postfix/anvil[22634]: statistics: max connection rate 9/60s for (submission:172.56.38.118) at Nov 19 12:40:23 maillog.4.bz2:Nov 19 12:44:59 theranch postfix/anvil[22634]: statistics: max connection count 6 for (submission:172.56.38.118) at Nov 19 12:40:20 maillog.4.bz2:Nov 19 12:44:59 theranch postfix/anvil[22634]: statistics: max newtls rate 5/60s for (submission:172.56.38.118) at Nov 19 12:40:20 maillog.4.bz2:Nov 19 12:44:59 theranch postfix/anvil[22634]: statistics: max auth rate 5/60s for (submission:172.56.38.118) at Nov 19 12:40:43
Re: Is my server mail account being attacted?
Yes, I did not advertise AUTH in my port 25 smtpd too. when telnet to my mail server, it produce like: telnet 108.61.110.110 25 Trying 108.61.110.110... Connected to example.com. Escape character is '^]'. 220 example ESMTP Postfix ehlo 501 Syntax: EHLO hostname ehlo mail 250-mail.example 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 SMTPUTF8 AUTH PLAIN 503 5.5.1 Error: authentication not enabled I am going to add some iptables rules to ban some ip now. On 星期四, 20 十月 2016 14:13:26 -0700Bill Cole postfixlists-070...@billmail.scconsult.com wrote On 20 Oct 2016, at 16:39, Keith Williams wrote: No wait... What? This is no attack. Attack is when you try to break or enforce.. This is a probe, and from the probe we can deduce from the reported disconnect that 1. helo was tried, 2. no auth was attempted and 3, quit was used. So a test for helo and quit? and no auth. No. The "auth=0/1" in the disconnect line means that Postfix received 1 authentication attempt but it failed. This was a "probe" to see if a particular user exists and has a particular password. Someone is testing your IP and mail capibility.. perhaps Not stipulating that unauthorized "probes" are not also block-worthy, but this is a bit more. On 20/10/2016 22:20, Bill Cole wrote: On 18 Oct 2016, at 20:45, Sebastian Nielsen wrote: Its clear from the log, the attacker isn't even attemping to authenticate (0 attempts). The attacker hasn't propably not even realized he is connecting to a mail server. No. There's a jumble there, but at least one is a lame "attack" of a sort. The only *Postfix* messages were: Oct 19 07:55:27 mail postfix/smtpd[9929]: connect from unknown[216.15.186.126] Oct 19 07:55:28 mail postfix/smtpd[9929]: disconnect from unknown[216.15.186.126] helo=1 auth=0/1 quit=1 commands=2/3 *THAT* client tried to authenticate and failed. It's a CBL-listed IP on a chronically abuse-friendly network. The rest were all messages from Dovecot components, about failed SSL connections from a mix of IPs. Impossible to know what the reasons for those were without tracking down the person running the computer.
Re: Is my server mail account being attacted?
On 20 Oct 2016, at 16:39, Keith Williams wrote: No wait... What? This is no attack. Attack is when you try to break or enforce.. This is a probe, and from the probe we can deduce from the reported disconnect that 1. helo was tried, 2. no auth was attempted and 3, quit was used. So a test for helo and quit? and no auth. No. The "auth=0/1" in the disconnect line means that Postfix received 1 authentication attempt but it failed. This was a "probe" to see if a particular user exists and has a particular password. Someone is testing your IP and mail capibility.. perhaps>> Not stipulating that unauthorized "probes" are not also block-worthy, but this is a bit more. On 20/10/2016 22:20, Bill Cole wrote: On 18 Oct 2016, at 20:45, Sebastian Nielsen wrote: Its clear from the log, the attacker isn't even attemping to authenticate (0 attempts). The attacker hasn't propably not even realized he is connecting to a mail server. No. There's a jumble there, but at least one is a lame "attack" of a sort. The only *Postfix* messages were: Oct 19 07:55:27 mail postfix/smtpd[9929]: connect from unknown[216.15.186.126] Oct 19 07:55:28 mail postfix/smtpd[9929]: disconnect from unknown[216.15.186.126] helo=1 auth=0/1 quit=1 commands=2/3 *THAT* client tried to authenticate and failed. It's a CBL-listed IP on a chronically abuse-friendly network. The rest were all messages from Dovecot components, about failed SSL connections from a mix of IPs. Impossible to know what the reasons for those were without tracking down the person running the computer.
Re: Is my server mail account being attacted?
On 18 Oct 2016, at 21:00, vod vos wrote: So, how to block this kind of ips? Does fail2ban work? Yes, but as Sebastian said, it is possible for fail2ban to block innocent users, particularly those SSL errors, which essentially amount to connections that were never fully initiated. That's why fail2ban is usually set to require multiple matches on a log pattern in a short time to ban an IP and only bans an IP temporarily. How much risk that represents for any particular system is impossible to know without knowing how the system is used and configured. For example, I do not advertise AUTH in my port 25 smtpd because everything that might need to relay though that system will use the port 587 smtpd, configured to handle initial message submission. As a result, I can be absolutely certain that anything trying to do AUTH on the port 25 service is a bad actor of some sort, using very stupid software. I use something very much like fail2ban in principle (but much smaller) to immediately block any IP in a line from the port25 smtpd that includes 'auth=0/' (indicating an auth failure. I do a similar thing with Dovecot, but ONLY for clear authentication failures, not for the sort of SSL initiation failures you are seeing. I can do this because I know my user base on that system, which is small and stable, and it has nevef banned anyone it should not have. On systems that I manage where the user bases are larger and more prone to using bad software, configuring their software poorly, or stubbornly mis-remembering a password, I have to take a more lenient, fail2ban-like approach: multiple failures within a few minutes triggers a block lasting less than an hour.
Re: Is my server mail account being attacted?
No wait... What? This is no attack. Attack is when you try to break or enforce.. This is a probe, and from the probe we can deduce from the reported disconnect that 1. helo was tried, 2. no auth was attempted and 3, quit was used. So a test for helo and quit? and no auth. Someone is testing your IP and mail capibility.. perhaps>> On 20/10/2016 22:20, Bill Cole wrote: On 18 Oct 2016, at 20:45, Sebastian Nielsen wrote: Its clear from the log, the attacker isn't even attemping to authenticate (0 attempts). The attacker hasn't propably not even realized he is connecting to a mail server. No. There's a jumble there, but at least one is a lame "attack" of a sort. The only *Postfix* messages were: Oct 19 07:55:27 mail postfix/smtpd[9929]: connect from unknown[216.15.186.126] Oct 19 07:55:28 mail postfix/smtpd[9929]: disconnect from unknown[216.15.186.126] helo=1 auth=0/1 quit=1 commands=2/3 *THAT* client tried to authenticate and failed. It's a CBL-listed IP on a chronically abuse-friendly network. The rest were all messages from Dovecot components, about failed SSL connections from a mix of IPs. Impossible to know what the reasons for those were without tracking down the person running the computer.
Re: Is my server mail account being attacted?
On 18 Oct 2016, at 20:45, Sebastian Nielsen wrote: Looks rather like a scanning attack (finding vulnerabilities). I think they are trying to do a SSL type of attack like HEARTBLEED but your server isn't vulnerable. Looks also like they are sending HTTP requests (encapsulated in SSL/TLS) to a mail server, which seems to be a extremely stupid bot scanner. Dovecot supports standard imaps (port 993) and pop3s (port 995) so that isn't HTTP and isn't at all strange. If I understand those errors correctly (big "if") they are typical of a client making a connection to an SSL port and sending something other than a SSL/TLS client hello.
Re: Is my server mail account being attacted?
On 18 Oct 2016, at 20:45, Sebastian Nielsen wrote: Its clear from the log, the attacker isn't even attemping to authenticate (0 attempts). The attacker hasn't propably not even realized he is connecting to a mail server. No. There's a jumble there, but at least one is a lame "attack" of a sort. The only *Postfix* messages were: Oct 19 07:55:27 mail postfix/smtpd[9929]: connect from unknown[216.15.186.126] Oct 19 07:55:28 mail postfix/smtpd[9929]: disconnect from unknown[216.15.186.126] helo=1 auth=0/1 quit=1 commands=2/3 *THAT* client tried to authenticate and failed. It's a CBL-listed IP on a chronically abuse-friendly network. The rest were all messages from Dovecot components, about failed SSL connections from a mix of IPs. Impossible to know what the reasons for those were without tracking down the person running the computer.
Re: Is my server mail account being attacted?
No, fail2ban would also block legitimate users where the user may have flaky connection and doing one or more connections and not authenticating. The SSL attempts for http could be blocked with fail2ban. The other SSL attempts attempting to negotiate a old version, may block legitimate users trying to auth with an old client. I would say, the best way to block these types of attacks is to terminate your SSL in your firewall, and just block anything not up to standards. Not ban, but just block the single transactuion by disconnecting the user. And anything OK you just fwd to your mail server unencrypted. Then the firewall takes the bang and your mail server receives only clean traffic. smime.p7s Description: S/MIME Cryptographic Signature
Re: Is my server mail account being attacted?
So, how to block this kind of ips? Does fail2ban work? On 星期二, 18 十月 2016 17:45:01 -0700Sebastian Nielsen sebast...@sebbe.eu wrote Looks rather like a scanning attack (finding vulnerabilities). I think they are trying to do a SSL type of attack like HEARTBLEED but your server isn't vulnerable. Looks also like they are sending HTTP requests (encapsulated in SSL/TLS) to a mail server, which seems to be a extremely stupid bot scanner. Its clear from the log, the attacker isn't even attemping to authenticate (0 attempts). The attacker hasn't propably not even realized he is connecting to a mail server.
Re: Is my server mail account being attacted?
Looks rather like a scanning attack (finding vulnerabilities). I think they are trying to do a SSL type of attack like HEARTBLEED but your server isn't vulnerable. Looks also like they are sending HTTP requests (encapsulated in SSL/TLS) to a mail server, which seems to be a extremely stupid bot scanner. Its clear from the log, the attacker isn't even attemping to authenticate (0 attempts). The attacker hasn't propably not even realized he is connecting to a mail server. smime.p7s Description: S/MIME Cryptographic Signature