Re: [courier-users] Blocking Brute Force Auth Attacks
On 07/08/2016 03:04 PM, Alexei Batyr' wrote: > > Unfortunately spamers/fishers et al. already mastered SSL and STARTTLS and > successfully use them in brute force and other attacks. I'd expect so. I didn't recommend TLS as a measure against brute-force attacks, I recommended it to protect passwords from leaking on untrusted networks. Authentication should always be done on a secure channel. > Account locking seems not a good idea: attacker could easily and quickly > block all known to him user accounts on particular server. And yet, temporary lockout is still a fairly standard practice. The lockouts don't need to be very long to be effective if your passwords aren't based on dictionary words. > Fail2ban blocks > attacker's IPs instead, leaving legitimate user access to his mail. Yes, fail2ban is a good tool and I advocate its use. However, it should be noted that fail2ban does not support IPv6, so attackers can use that network to avoid blacklisting for now. Your toolbox should have more than one tool. -- Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Blocking Brute Force Auth Attacks
You may discover some networks that are malicious (shadow nets) I maintain a list of these https://github.com/szepeviktor/debian-server-tools/tree/master/security/myattackers-ipsets Use the shell scripts provided. And take a look at iptables rule counters weekly so you know how successful they are. Chain myattackers-ipset (1 references) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0match-set spidernet src reject-with icmp-port-unreachable 240 12305 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0match-set sks-lugan src reject-with icmp-port-unreachable 249 11847 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0match-set shodan-io src reject-with icmp-port-unreachable 105 4280 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0match-set security-scorecard src reject-with icmp-port-unreachable 140 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0match-set mirtelematiki src reject-with icmp-port-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0match-set lu-root src reject-with icmp-port-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0match-set leonlundberg src reject-with icmp-port-unreachable 3 120 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0match-set hostkey src reject-with icmp-port-unreachable 13 672 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0match-set ering.pl src reject-with icmp-port-unreachable 17 680 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0match-set elan.pl src reject-with icmp-port-unreachable 1002 40883 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0match-set ecatel src reject-with icmp-port-unreachable 4657K 1595M RETURN all -- * * 0.0.0.0/00.0.0.0/0 For example ecatel could have 1002 Courier authentication attacks without these rules. Idézem/Quoting Alexei Batyr': > Gordon Messmer writes: > >> Authentication over plain text is only allowed if ESMTPAUTH is set in >> etc/courier/esmtpd. To maintain password security, that setting should >> be empty. Instead, use ESMTPAUTH_TLS to enable authentication only >> after TLS is initialized. > > Unfortunately spamers/fishers et al. already mastered SSL and STARTTLS and > successfully use them in brute force and other attacks. > >> I wrote earlier that protecting authentication with encryption would >> leave you with only tools like fail2ban. I should have mentioned that >> the other good option is using an authentication backend that'll lock >> accounts temporarily when there are repeated auth failures. > > Account locking seems not a good idea: attacker could easily and quickly > block all known to him user accounts on particular server. Fail2ban blocks > attacker's IPs instead, leaving legitimate user access to his mail. > Probably better solution would be a similar blocking at MTA level, without > log parsing and firing firewall rules. > > Just FYI: fail2ban block list of my relatively small mail server (approx. > 350 users) now contains more than 1500 IPs. Additional advantage - reducing > overall load to the server because blocked botnet members never more make > continuous connections to the MTA. > > -- > Alexei. > > -- > Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San > Francisco, CA to explore cutting-edge tech and listen to tech luminaries > present their vision of the future. This family event has something for > everyone, including kids. Get more information and register today. > http://sdm.link/attshape > ___ > courier-users mailing list > courier-users@lists.sourceforge.net > Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users SZÉPE Viktor -- +36-20-4242498 s...@szepe.net skype: szepe.viktor Budapest, III. kerület -- Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Blocking Brute Force Auth Attacks
Please consider reading and understanding these Courier ban rules: https://github.com/szepeviktor/debian-server-tools/tree/master/security/fail2ban-conf/filter.d Idézem/Quoting Sam Varshavchik: > Nathan Harris writes: > >> For a while now our server has been seeing a lot of brute force >> authentication attacks. Of course the source of these attacks is >> constantly changing. My firewall (pfSense) is running Snort and I am >> using the following custom rules to help. >> >> alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP AUTH brute >> force attack"; content:"535 Authentication failed."; nocase; >> classtype:attempted-user; threshold:type threshold, track by_src, count >> 2, seconds 60; sid:1000500; rev:6;) >> >> alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP ERROR >> potential spam or malware bot"; content:"502 ESMTP command error"; >> nocase; classtype:policy-violation; threshold:type threshold, track >> by_src, count 2, seconds 60; sid:1000501; rev:4;) >> >> alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP SPAMHAUS >> potential spam or malware bot"; content:"511 https://www.spamhaus.org;; >> nocase; classtype:policy-violation; threshold:type threshold, track >> by_src, count 1, seconds 60; sid:1000502; rev:4;) >> >> alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP SPAM detected >> spam or malware bot"; content:"554 Mail rejected - spam detected"; >> nocase; classtype:policy-violation; threshold:type threshold, track >> by_src, count 1, seconds 60; sid:1000503; rev:2;) >> >> This is working fairly well. However, it would also be good to >> immediately block an IPs when an invalid user name is specified. I have >> looked at Fail2Ban which does a similar operation to what I'm doing >> (except on the mail server's firewall). Is there anything more >> sophisticated or a better approach to solving this problem? > > You should check the timestamps in the maillog. Courier's automatic > tarpitting and rate limit is pretty good at keeping things under > control. > > Also, check whether or not you really need to enable authenticated > SMTP on port 25. In most cases you can turn this off completely, and > use only authenticated SMTP on port 587. > > Just last month, on another mailing list one unfortunate soul > discovered that he was succesfully dictionary-attacked, and had a > queue-full of spam. > > No tarpitting will help. fail2ban will work generally well, but it > won't be fool-proof. SZÉPE Viktor -- +36-20-4242498 s...@szepe.net skype: szepe.viktor Budapest, III. kerület -- Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Blocking Brute Force Auth Attacks
Gordon Messmer writes: > Authentication over plain text is only allowed if ESMTPAUTH is set in > etc/courier/esmtpd. To maintain password security, that setting should > be empty. Instead, use ESMTPAUTH_TLS to enable authentication only > after TLS is initialized. Unfortunately spamers/fishers et al. already mastered SSL and STARTTLS and successfully use them in brute force and other attacks. > I wrote earlier that protecting authentication with encryption would > leave you with only tools like fail2ban. I should have mentioned that > the other good option is using an authentication backend that'll lock > accounts temporarily when there are repeated auth failures. Account locking seems not a good idea: attacker could easily and quickly block all known to him user accounts on particular server. Fail2ban blocks attacker's IPs instead, leaving legitimate user access to his mail. Probably better solution would be a similar blocking at MTA level, without log parsing and firing firewall rules. Just FYI: fail2ban block list of my relatively small mail server (approx. 350 users) now contains more than 1500 IPs. Additional advantage - reducing overall load to the server because blocked botnet members never more make continuous connections to the MTA. -- Alexei. -- Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Blocking Brute Force Auth Attacks
Nathan Harris writes: On 7/8/2016 10:58 AM, Gordon Messmer wrote: > On 07/08/2016 06:49 AM, Nathan Harris wrote: >> Is there anything more >> sophisticated or a better approach to solving this problem? > I'd recommend that you not allow authentication on any non-encrypted > protocols, and that'll only leave log analysis tools like fail2ban as > options. > Gordon, first let me start with a big thank you for pythonfilter which I have used for years. As far as rejecting/disabling smtp authentication, I was not aware there was a setting for this. Set ESMTPAUTH and ESMTPAUTH_TLS to an empty string, in the esmtpd configuration file. Before doing that, copy the current settings to the esmtpd-msa configuration file, its CUSTOM section is for that; so that authenticated smtp is still enabled on port 587. pgpOXWDLV0lpc.pgp Description: PGP signature -- Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Blocking Brute Force Auth Attacks
Nathan Harris writes: For a while now our server has been seeing a lot of brute force authentication attacks. Of course the source of these attacks is constantly changing. My firewall (pfSense) is running Snort and I am using the following custom rules to help. alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP AUTH brute force attack"; content:"535 Authentication failed."; nocase; classtype:attempted-user; threshold:type threshold, track by_src, count 2, seconds 60; sid:1000500; rev:6;) alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP ERROR potential spam or malware bot"; content:"502 ESMTP command error"; nocase; classtype:policy-violation; threshold:type threshold, track by_src, count 2, seconds 60; sid:1000501; rev:4;) alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP SPAMHAUS potential spam or malware bot"; content:"511 https://www.spamhaus.org;; nocase; classtype:policy-violation; threshold:type threshold, track by_src, count 1, seconds 60; sid:1000502; rev:4;) alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP SPAM detected spam or malware bot"; content:"554 Mail rejected - spam detected"; nocase; classtype:policy-violation; threshold:type threshold, track by_src, count 1, seconds 60; sid:1000503; rev:2;) This is working fairly well. However, it would also be good to immediately block an IPs when an invalid user name is specified. I have looked at Fail2Ban which does a similar operation to what I'm doing (except on the mail server's firewall). Is there anything more sophisticated or a better approach to solving this problem? You should check the timestamps in the maillog. Courier's automatic tarpitting and rate limit is pretty good at keeping things under control. Also, check whether or not you really need to enable authenticated SMTP on port 25. In most cases you can turn this off completely, and use only authenticated SMTP on port 587. Just last month, on another mailing list one unfortunate soul discovered that he was succesfully dictionary-attacked, and had a queue-full of spam. No tarpitting will help. fail2ban will work generally well, but it won't be fool-proof. pgpEc0GfuDjE6.pgp Description: PGP signature -- Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Blocking Brute Force Auth Attacks
On 7/8/2016 2:23 PM, Gordon Messmer wrote: > >> As far as rejecting/disabling smtp authentication, I was not aware there was >> a setting for this. > Authentication over plain text is only allowed if ESMTPAUTH is set in > etc/courier/esmtpd. To maintain password security, that setting should > be empty. Instead, use ESMTPAUTH_TLS to enable authentication only > after TLS is initialized. In a world where everything supports TLS now this is good advice. I'm feeling my age that I didn't even think of this. > I wrote earlier that protecting authentication with encryption would > leave you with only tools like fail2ban. I should have mentioned that > the other good option is using an authentication backend that'll lock > accounts temporarily when there are repeated auth failures. > I am using PAM, so I'll research what is possible. Thanks again. -- Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Blocking Brute Force Auth Attacks
On 07/08/2016 09:54 AM, Nathan Harris wrote: > Gordon, first let me start with a big thank you for pythonfilter which I > have used for years. Cool. Glad to hear it! > As far as rejecting/disabling smtp authentication, I was not aware there was > a setting for this. Authentication over plain text is only allowed if ESMTPAUTH is set in etc/courier/esmtpd. To maintain password security, that setting should be empty. Instead, use ESMTPAUTH_TLS to enable authentication only after TLS is initialized. I wrote earlier that protecting authentication with encryption would leave you with only tools like fail2ban. I should have mentioned that the other good option is using an authentication backend that'll lock accounts temporarily when there are repeated auth failures. -- Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Blocking Brute Force Auth Attacks
On 7/8/2016 10:58 AM, Gordon Messmer wrote: > On 07/08/2016 06:49 AM, Nathan Harris wrote: >> Is there anything more >> sophisticated or a better approach to solving this problem? > I'd recommend that you not allow authentication on any non-encrypted > protocols, and that'll only leave log analysis tools like fail2ban as > options. > Gordon, first let me start with a big thank you for pythonfilter which I have used for years. As far as rejecting/disabling smtp authentication, I was not aware there was a setting for this. -- Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Blocking Brute Force Auth Attacks
On 07/08/2016 06:49 AM, Nathan Harris wrote: > Is there anything more > sophisticated or a better approach to solving this problem? I'd recommend that you not allow authentication on any non-encrypted protocols, and that'll only leave log analysis tools like fail2ban as options. -- Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Vhost certificates
On 7/8/2016 10:03 AM, Matus UHLAR - fantomas wrote: > On 08.07.16 16:38, Mark Constable wrote: >> FWIW I finally got around to testing 0.76.1 with a virtual vhost SSL >> (letsencrypt) certificate and it worked! >> >> All I did was create symlinks from /etc/courier/{esmtpd,imapd}.pem.DOMAIN >> to the right combined privkey.pem + fullchain.pem for the particular >> vhost and Thunderbird worked perfectly. >> >> Brilliant! Thank you Sam :-) >> >> Just checked, Outlook for Android did not work. Anyone know of an Android >> mail app that might work with IMAP/ESMTP SNA? > do you mean, SNI? That makes more sense. K-9 Mail supports SNI in it's unstable branch (v 5.108 on), but it hasn't yet made it to the stable version available on Google Play. -- Bowie -- Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] Blocking Brute Force Auth Attacks
For a while now our server has been seeing a lot of brute force authentication attacks. Of course the source of these attacks is constantly changing. My firewall (pfSense) is running Snort and I am using the following custom rules to help. alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP AUTH brute force attack"; content:"535 Authentication failed."; nocase; classtype:attempted-user; threshold:type threshold, track by_src, count 2, seconds 60; sid:1000500; rev:6;) alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP ERROR potential spam or malware bot"; content:"502 ESMTP command error"; nocase; classtype:policy-violation; threshold:type threshold, track by_src, count 2, seconds 60; sid:1000501; rev:4;) alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP SPAMHAUS potential spam or malware bot"; content:"511 https://www.spamhaus.org;; nocase; classtype:policy-violation; threshold:type threshold, track by_src, count 1, seconds 60; sid:1000502; rev:4;) alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP SPAM detected spam or malware bot"; content:"554 Mail rejected - spam detected"; nocase; classtype:policy-violation; threshold:type threshold, track by_src, count 1, seconds 60; sid:1000503; rev:2;) This is working fairly well. However, it would also be good to immediately block an IPs when an invalid user name is specified. I have looked at Fail2Ban which does a similar operation to what I'm doing (except on the mail server's firewall). Is there anything more sophisticated or a better approach to solving this problem? -Nathan -- Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Vhost certificates
On 08.07.16 16:38, Mark Constable wrote: >FWIW I finally got around to testing 0.76.1 with a virtual vhost SSL >(letsencrypt) certificate and it worked! > >All I did was create symlinks from /etc/courier/{esmtpd,imapd}.pem.DOMAIN >to the right combined privkey.pem + fullchain.pem for the particular >vhost and Thunderbird worked perfectly. > >Brilliant! Thank you Sam :-) > >Just checked, Outlook for Android did not work. Anyone know of an Android >mail app that might work with IMAP/ESMTP SNA? do you mean, SNI? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Support bacteria - they're the only culture some people have. -- Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Vhost certificates
On 7/8/2016 2:38 AM, Mark Constable wrote: > FWIW I finally got around to testing 0.76.1 with a virtual vhost SSL > (letsencrypt) certificate and it worked! > > All I did was create symlinks from /etc/courier/{esmtpd,imapd}.pem.DOMAIN > to the right combined privkey.pem + fullchain.pem for the particular > vhost and Thunderbird worked perfectly. > > Brilliant! Thank you Sam :-) > > Just checked, Outlook for Android did not work. Anyone know of an Android > mail app that might work with IMAP/ESMTP SNA? Don't know about SNA, but K-9 Mail works great with my Courier IMAP server. -- Bowie -- Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] Vhost certificates
FWIW I finally got around to testing 0.76.1 with a virtual vhost SSL (letsencrypt) certificate and it worked! All I did was create symlinks from /etc/courier/{esmtpd,imapd}.pem.DOMAIN to the right combined privkey.pem + fullchain.pem for the particular vhost and Thunderbird worked perfectly. Brilliant! Thank you Sam :-) Just checked, Outlook for Android did not work. Anyone know of an Android mail app that might work with IMAP/ESMTP SNA? -- Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users