|
[CentOS][dovecot][Logwatch/fail2ban]Increase in attacks the last days
Greetings,
in the last few days, the amount of attacks on our Dovecot server has increased significantly. I can't imagine why, as our server is running an online store, so actually, none of the users receives anything confidential... Well, bots trying their luck on SMTP servers like postfix are nothing new, and I can imagine why (so does anyone, I'd suspect), but why in the world would anyone/anything try and hack a POP3 server? The IP's and Whois'es point out that it's the "usual suspects": Chinese and Eastern Europeans, as most, so it's not just a misconfigured computer. Actually, using fail2ban, strong passwords and secure connections, we're safe, but still, it's disturbing and I'd like to know the reason for that. Does somebody know more? Thanks for all answers! |
What kind of attacks are you seeing? Do you have any packet payload logging?
|
Well, I've digged into that further - it's just people trying to log into our POP3 server as root - maybe brute force or DDoS?
Yesterday, there were about 230 attempts, but on normal days, we don't have more than 20 failed ones. Today, we had another 160 attempts. All unsuccessful, all of them as root, but still disturbing... That's strange, as I said, I can't imagine what a POP3 server could be abused for, except accessing user's mails or maybe phishing? The root account isn't configured to receive mail or to login to dovecot - I don't need to, since I (=root) have another user account and a few mail aliases (Remembering Linux rule No. 1). |
I'm not given to speculation so I'd rather point to trending nfo like for example Dshield output: https://secure.dshield.org/port.html?port=110. Even though this only takes into account machines that actually send their data to Dshield as you see the amount of attempts fluctuates wildly and given http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=dovecot it's not linked to known / new (publicized) vulns either. Tweaking Dovecot configuration may affect legitimate users. If your users reside in a manageable amount of ranges you could ponder adopting a Netfilter white listing policy, if not then you could at least do rate limiting. Before you choose the latter see http://snafu.priv.at/mystuff/pam_recent.c.
|
OK, will read into all this. For now, I used hosts.deny to block all attempts on ssh, dovecot and postfix from China, Japan, Russia and Romania, where most of our "problem traffic" comes from. That'll solve the problem, as most of our customers are residing in Central Europe. Thanks for your helpful information!
|
Quote:
Quote:
|
So using iptables would be more efficient for that? Will use that.
In fact, the cause of those log entries seemed to be just some bots roaming the net for insecure POP3 servers - still can't figure out why, but the rest of the week was calm on dovecot, no failed authentications and no strange log entries - just the usual useless tries on ssh, postfix and so on, that will probably not succeed for as long as I need to care (planning ahead for more than 300 years is imho unnecessary, because humanity will have eradicated itself then, and even if not, I seriously doubt that I still can be held responsible for any problem :-D). |
| All times are GMT -5. The time now is 09:14 AM. |