Re: [qmailtoaster] Is it safe to block port 465/smtps and how to prevent brute force guessing
For qmail-1.03-3.3.5 and up (below link) defines how to set up /var/log/qmail/smtptx/current This stops attempts of AUTH outside TLS https://github.com/qmtoaster/patches/tree/master/cos8/3.3.5 On 11/4/2022 1:57 AM, Peter Peltonen wrote: Hi, I received a private reply that the correct logpath is /var/log/qmail/smtpt*/current so that should work. Below are some stats from my server. In the end, I did not disable smpts, as there were a few users using the port and it seems to be a difficult task to change the port in Outlook (requires deleting and adding the account again). What I notice now after a few days (see stats below) following the logs is that there are a lot of failed attempts but only a few get banned because they come from different IPs. So it is very difficult if the attempts are initiated from a botnet with lots of IPs... What I could try to do, is to allow attempts based on IP geo location and then block the rest. Does anyone know if such a configuration could be done easily with some existing tool? Either at qmail or iptables level. # ./f2bstat Status for the jail: qmail-submission-passfail |- Filter | |- Currently failed: 4 | |- Total failed: 8 | `- File list: /var/log/maillog `- Actions |- Currently banned: 0 |- Total banned: 1 `- Banned IP list: Status for the jail: qmail-submission-usernotfound |- Filter | |- Currently failed: 14 | |- Total failed: 177 | `- File list: /var/log/maillog `- Actions |- Currently banned: 4 |- Total banned: 4 `- Banned IP list: 185.28.39.139 185.232.21.210 2.58.46.186 91.103.252.239 Status for the jail: qmail-smtps-passfail |- Filter | |- Currently failed: 1276 | |- Total failed: 3646 | `- File list: /var/log/maillog `- Actions |- Currently banned: 10 |- Total banned: 27 `- Banned IP list: 117.123.14.7 103.249.77.2 220.255.216.14 189.109.236.166 122.252.192.22 136.169.210.132 189.108.147.210 172.245.92.101 192.227.246.107 219.255.134.98 Status for the jail: qmail-smtps-usernotfound |- Filter | |- Currently failed: 685 | |- Total failed: 6302 | `- File list: /var/log/maillog `- Actions |- Currently banned: 11 |- Total banned: 16 `- Banned IP list: 60.174.192.240 76.82.169.64 201.63.178.141 177.86.158.78 41.170.13.250 98.143.104.200 68.55.3.234 211.196.236.250 124.165.66.186 183.99.76.78 67.204.24.218 On Wed, Nov 2, 2022 at 10:13 PM Peter Peltonen wrote: Thanks and yes, submission has been hacked also of course, but for some reason, I see the brute force attempts directed only against smtps (at least during the past days). As I don't use it, it's better to disable it as then I need only to monitor submission. Changing passwords has been of course done. When following the fail2ban instructions one command failed: # cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak-`date` cp: target '2022' is not a directory Also in the qmail-smtp-authnotavail filter I see the following entry: logpath = /var/log/qmail/smtptx/current -> I don't have a such log file, is there a typo in the path? I had to disable that filter as fail2ban refuses to start with it. Best, Peter On Wed, Nov 2, 2022 at 5:27 AM Eric Broch wrote: And, the instruction on fail2ban should work fine. Submit questions to list. On 11/1/2022 8:38 PM, Remo Mattei wrote: I would change all the passwords. Remo -- Mandato da iPhone On martedì, nov 01, 2022 at 14:44, Eric Broch wrote: # qmailctl stop # touch /var/qmail/supervise/smtps/log/down # touch /var/qmail/supervise/smtps/down # qmailctl start # qmailctl stat But, if they've hacked smtps then they've also hacked submission; right? On 11/1/2022 1:10 PM, Peter Peltonen wrote: Hi, I had an email account password guessed through auth attempts via smtps. I did not realize this as I had forgotten I had it enabled at all. I was looking at the submission log and scratching my head not understanding how messages got to the remote queue without anything in the submission log, until I realized smpts was enabled and it was logging to /var/log/maillog and not to any log under /var/log/qmail... My first question: is it safe to disable smtps, I guess I don't need it for anything as all my users should be using 587/submission instead? Second question: How do I disable it? Should I just remove /var/qmail/supervise/smtps/run file? And/or block it at firewall level? Third question: to prevent brute force
Re: [qmailtoaster] Is it safe to block port 465/smtps and how to prevent brute force guessing
Hi, I received a private reply that the correct logpath is /var/log/qmail/smtpt*/current so that should work. Below are some stats from my server. In the end, I did not disable smpts, as there were a few users using the port and it seems to be a difficult task to change the port in Outlook (requires deleting and adding the account again). What I notice now after a few days (see stats below) following the logs is that there are a lot of failed attempts but only a few get banned because they come from different IPs. So it is very difficult if the attempts are initiated from a botnet with lots of IPs... What I could try to do, is to allow attempts based on IP geo location and then block the rest. Does anyone know if such a configuration could be done easily with some existing tool? Either at qmail or iptables level. # ./f2bstat Status for the jail: qmail-submission-passfail |- Filter | |- Currently failed: 4 | |- Total failed: 8 | `- File list:/var/log/maillog `- Actions |- Currently banned: 0 |- Total banned: 1 `- Banned IP list: Status for the jail: qmail-submission-usernotfound |- Filter | |- Currently failed: 14 | |- Total failed: 177 | `- File list:/var/log/maillog `- Actions |- Currently banned: 4 |- Total banned: 4 `- Banned IP list: 185.28.39.139 185.232.21.210 2.58.46.186 91.103.252.239 Status for the jail: qmail-smtps-passfail |- Filter | |- Currently failed: 1276 | |- Total failed: 3646 | `- File list:/var/log/maillog `- Actions |- Currently banned: 10 |- Total banned: 27 `- Banned IP list: 117.123.14.7 103.249.77.2 220.255.216.14 189.109.236.166 122.252.192.22 136.169.210.132 189.108.147.210 172.245.92.101 192.227.246.107 219.255.134.98 Status for the jail: qmail-smtps-usernotfound |- Filter | |- Currently failed: 685 | |- Total failed: 6302 | `- File list:/var/log/maillog `- Actions |- Currently banned: 11 |- Total banned: 16 `- Banned IP list: 60.174.192.240 76.82.169.64 201.63.178.141 177.86.158.78 41.170.13.250 98.143.104.200 68.55.3.234 211.196.236.250 124.165.66.186 183.99.76.78 67.204.24.218 On Wed, Nov 2, 2022 at 10:13 PM Peter Peltonen wrote: > Thanks and yes, submission has been hacked also of course, but for some > reason, I see the brute force attempts directed only against smtps (at > least during the past days). As I don't use it, it's better to disable it > as then I need only to monitor submission. Changing passwords has been of > course done. > > When following the fail2ban instructions one command failed: > > # cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak-`date` > cp: target '2022' is not a directory > > Also in the qmail-smtp-authnotavail filter I see the following entry: > > logpath = /var/log/qmail/smtptx/current > > -> I don't have a such log file, is there a typo in the path? > > I had to disable that filter as fail2ban refuses to start with it. > > Best, > > Peter > > > > On Wed, Nov 2, 2022 at 5:27 AM Eric Broch wrote: > >> And, the instruction on fail2ban should work fine. Submit questions to >> list. >> On 11/1/2022 8:38 PM, Remo Mattei wrote: >> >> I would change all the passwords. >> >> Remo >> >> -- >> Mandato da iPhone >> >> On martedì, nov 01, 2022 at 14:44, Eric Broch >> wrote: >> # qmailctl stop >> >> # touch /var/qmail/supervise/smtps/log/down >> >> # touch /var/qmail/supervise/smtps/down >> >> # qmailctl start >> >> # qmailctl stat >> >> But, if they've hacked smtps then they've also hacked submission; right? >> >> >> On 11/1/2022 1:10 PM, Peter Peltonen wrote: >> >> Hi, >> >> I had an email account password guessed through auth attempts via smtps. >> >> I did not realize this as I had forgotten I had it enabled at all. I >> was looking at the submission log and scratching my head not >> understanding how messages got to the remote queue without anything in >> the submission log, until I realized smpts was enabled and it was >> logging to /var/log/maillog and not to any log under /var/log/qmail... >> >> My first question: is it safe to disable smtps, I guess I don't need >> it for anything as all my users should be using 587/submission instead? >> >> Second question: How do I disable it? Should I just >> remove /var/qmail/supervise/smtps/run file? And/or block it at >> firewall level? >> >> Third question: to prevent brute force attacks, is fail2ban the best >> option to do it? I just follow the instructions at >> http://www.qmailtoaster.com/fail2ban.html ? >> >> Best, >> Peter >> >> >> >> - >> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com >> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com >> >>
Re: [qmailtoaster] Is it safe to block port 465/smtps and how to prevent brute force guessing
Thanks and yes, submission has been hacked also of course, but for some reason, I see the brute force attempts directed only against smtps (at least during the past days). As I don't use it, it's better to disable it as then I need only to monitor submission. Changing passwords has been of course done. When following the fail2ban instructions one command failed: # cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak-`date` cp: target '2022' is not a directory Also in the qmail-smtp-authnotavail filter I see the following entry: logpath = /var/log/qmail/smtptx/current -> I don't have a such log file, is there a typo in the path? I had to disable that filter as fail2ban refuses to start with it. Best, Peter On Wed, Nov 2, 2022 at 5:27 AM Eric Broch wrote: > And, the instruction on fail2ban should work fine. Submit questions to > list. > On 11/1/2022 8:38 PM, Remo Mattei wrote: > > I would change all the passwords. > > Remo > > -- > Mandato da iPhone > > On martedì, nov 01, 2022 at 14:44, Eric Broch > wrote: > # qmailctl stop > > # touch /var/qmail/supervise/smtps/log/down > > # touch /var/qmail/supervise/smtps/down > > # qmailctl start > > # qmailctl stat > > But, if they've hacked smtps then they've also hacked submission; right? > > > On 11/1/2022 1:10 PM, Peter Peltonen wrote: > > Hi, > > I had an email account password guessed through auth attempts via smtps. > > I did not realize this as I had forgotten I had it enabled at all. I > was looking at the submission log and scratching my head not > understanding how messages got to the remote queue without anything in > the submission log, until I realized smpts was enabled and it was > logging to /var/log/maillog and not to any log under /var/log/qmail... > > My first question: is it safe to disable smtps, I guess I don't need > it for anything as all my users should be using 587/submission instead? > > Second question: How do I disable it? Should I just > remove /var/qmail/supervise/smtps/run file? And/or block it at > firewall level? > > Third question: to prevent brute force attacks, is fail2ban the best > option to do it? I just follow the instructions at > http://www.qmailtoaster.com/fail2ban.html ? > > Best, > Peter > > > > - > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > >
Re: [qmailtoaster] Is it safe to block port 465/smtps and how to prevent brute force guessing
And, the instruction on fail2ban should work fine. Submit questions to list. On 11/1/2022 8:38 PM, Remo Mattei wrote: I would change all the passwords. Remo -- Mandato da iPhone On martedì, nov 01, 2022 at 14:44, Eric Broch wrote: # qmailctl stop # touch /var/qmail/supervise/smtps/log/down # touch /var/qmail/supervise/smtps/down # qmailctl start # qmailctl stat But, if they've hacked smtps then they've also hacked submission; right? On 11/1/2022 1:10 PM, Peter Peltonen wrote: Hi, I had an email account password guessed through auth attempts via smtps. I did not realize this as I had forgotten I had it enabled at all. I was looking at the submission log and scratching my head not understanding how messages got to the remote queue without anything in the submission log, until I realized smpts was enabled and it was logging to /var/log/maillog and not to any log under /var/log/qmail... My first question: is it safe to disable smtps, I guess I don't need it for anything as all my users should be using 587/submission instead? Second question: How do I disable it? Should I just remove /var/qmail/supervise/smtps/run file? And/or block it at firewall level? Third question: to prevent brute force attacks, is fail2ban the best option to do it? I just follow the instructions at http://www.qmailtoaster.com/fail2ban.html ? Best, Peter - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Is it safe to block port 465/smtps and how to prevent brute force guessing
I would change all the passwords. Remo -- Mandato da iPhone > On martedì, nov 01, 2022 at 14:44, Eric Broch (mailto:ebr...@whitehorsetc.com)> wrote: > # qmailctl stop > > # touch /var/qmail/supervise/smtps/log/down > > # touch /var/qmail/supervise/smtps/down > > # qmailctl start > > # qmailctl stat > > But, if they've hacked smtps then they've also hacked submission; right? > > > On 11/1/2022 1:10 PM, Peter Peltonen wrote: > > Hi, > > > > I had an email account password guessed through auth attempts via smtps. > > > > I did not realize this as I had forgotten I had it enabled at all. I > > was looking at the submission log and scratching my head not > > understanding how messages got to the remote queue without anything in > > the submission log, until I realized smpts was enabled and it was > > logging to /var/log/maillog and not to any log under /var/log/qmail... > > > > My first question: is it safe to disable smtps, I guess I don't need > > it for anything as all my users should be using 587/submission instead? > > > > Second question: How do I disable it? Should I just > > remove /var/qmail/supervise/smtps/run file? And/or block it at > > firewall level? > > > > Third question: to prevent brute force attacks, is fail2ban the best > > option to do it? I just follow the instructions at > > http://www.qmailtoaster.com/fail2ban.html ? > > > > Best, > > Peter > > > > > > - > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com >
Re: [qmailtoaster] Is it safe to block port 465/smtps and how to prevent brute force guessing
# qmailctl stop # touch /var/qmail/supervise/smtps/log/down # touch /var/qmail/supervise/smtps/down # qmailctl start # qmailctl stat But, if they've hacked smtps then they've also hacked submission; right? On 11/1/2022 1:10 PM, Peter Peltonen wrote: Hi, I had an email account password guessed through auth attempts via smtps. I did not realize this as I had forgotten I had it enabled at all. I was looking at the submission log and scratching my head not understanding how messages got to the remote queue without anything in the submission log, until I realized smpts was enabled and it was logging to /var/log/maillog and not to any log under /var/log/qmail... My first question: is it safe to disable smtps, I guess I don't need it for anything as all my users should be using 587/submission instead? Second question: How do I disable it? Should I just remove /var/qmail/supervise/smtps/run file? And/or block it at firewall level? Third question: to prevent brute force attacks, is fail2ban the best option to do it? I just follow the instructions at http://www.qmailtoaster.com/fail2ban.html ? Best, Peter - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
