LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-19-2013, 08:27 AM   #1
thelinuxist
Member
 
Registered: Nov 2012
Location: Munich, Germany
Distribution: CentOS, Debian, Fedora, Ubuntu, DSL (Whatever neccessary)
Posts: 61

Rep: Reputation: Disabled
[CentOS][dovecot][Logwatch/fail2ban]Increase in attacks the last days


Greetings,

in the last few days, the amount of attacks on our Dovecot server has increased significantly. I can't imagine why, as our server is running an online store, so actually, none of the users receives anything confidential...
Well, bots trying their luck on SMTP servers like postfix are nothing new, and I can imagine why (so does anyone, I'd suspect), but why in the world would anyone/anything try and hack a POP3 server?
The IP's and Whois'es point out that it's the "usual suspects": Chinese and Eastern Europeans, as most, so it's not just a misconfigured computer.
Actually, using fail2ban, strong passwords and secure connections, we're safe, but still, it's disturbing and I'd like to know the reason for that. Does somebody know more?

Thanks for all answers!
 
Old 02-19-2013, 09:21 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
What kind of attacks are you seeing? Do you have any packet payload logging?
 
Old 02-20-2013, 01:11 AM   #3
thelinuxist
Member
 
Registered: Nov 2012
Location: Munich, Germany
Distribution: CentOS, Debian, Fedora, Ubuntu, DSL (Whatever neccessary)
Posts: 61

Original Poster
Rep: Reputation: Disabled
Well, I've digged into that further - it's just people trying to log into our POP3 server as root - maybe brute force or DDoS?
Yesterday, there were about 230 attempts, but on normal days, we don't have more than 20 failed ones. Today, we had another 160 attempts. All unsuccessful, all of them as root, but still disturbing...
That's strange, as I said, I can't imagine what a POP3 server could be abused for, except accessing user's mails or maybe phishing?
The root account isn't configured to receive mail or to login to dovecot - I don't need to, since I (=root) have another user account and a few mail aliases (Remembering Linux rule No. 1).
 
Old 02-21-2013, 08:09 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I'm not given to speculation so I'd rather point to trending nfo like for example Dshield output: https://secure.dshield.org/port.html?port=110. Even though this only takes into account machines that actually send their data to Dshield as you see the amount of attempts fluctuates wildly and given http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=dovecot it's not linked to known / new (publicized) vulns either. Tweaking Dovecot configuration may affect legitimate users. If your users reside in a manageable amount of ranges you could ponder adopting a Netfilter white listing policy, if not then you could at least do rate limiting. Before you choose the latter see http://snafu.priv.at/mystuff/pam_recent.c.
 
Old 02-22-2013, 04:22 AM   #5
thelinuxist
Member
 
Registered: Nov 2012
Location: Munich, Germany
Distribution: CentOS, Debian, Fedora, Ubuntu, DSL (Whatever neccessary)
Posts: 61

Original Poster
Rep: Reputation: Disabled
OK, will read into all this. For now, I used hosts.deny to block all attempts on ssh, dovecot and postfix from China, Japan, Russia and Romania, where most of our "problem traffic" comes from. That'll solve the problem, as most of our customers are residing in Central Europe. Thanks for your helpful information!
 
Old 02-23-2013, 06:57 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by thelinuxist View Post
For now, I used hosts.deny
Quote:
Originally Posted by unspawn
Using tcp_wrappers means a packet has to be delivered to that service. The serving application is responsible for reading /etc/hosts.{deny,allow} to determine itself if a connection is allowed or not. Requiring a network connection being set up exposes the application to for instance malformed packets and it requires disk I/O for having to write /etc/hosts.deny entries. Also tcp_wrappers does not work if an application was not compiled with libwrap (as in 'ldd /path/to/application|grep libwrap').
For more please see http://www.linuxquestions.org/questi...iptables-3036/
 
Old 02-25-2013, 02:15 AM   #7
thelinuxist
Member
 
Registered: Nov 2012
Location: Munich, Germany
Distribution: CentOS, Debian, Fedora, Ubuntu, DSL (Whatever neccessary)
Posts: 61

Original Poster
Rep: Reputation: Disabled
So using iptables would be more efficient for that? Will use that.
In fact, the cause of those log entries seemed to be just some bots roaming the net for insecure POP3 servers - still can't figure out why, but the rest of the week was calm on dovecot, no failed authentications and no strange log entries - just the usual useless tries on ssh, postfix and so on, that will probably not succeed for as long as I need to care (planning ahead for more than 300 years is imho unnecessary, because humanity will have eradicated itself then, and even if not, I seriously doubt that I still can be held responsible for any problem :-D).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Install Fail2Ban to curb brute-force attacks LXer Syndicated Linux News 0 01-18-2012 07:30 AM
LXer: Fail2ban,stop brute force attacks LXer Syndicated Linux News 0 04-20-2011 12:20 PM
LXer: Preventing Brute Force Attacks With Fail2ban On Mandriva 2008.1 LXer Syndicated Linux News 0 09-01-2008 07:30 AM
LXer: Preventing Brute Force Attacks With Fail2ban On Fedora 9 LXer Syndicated Linux News 0 08-27-2008 03:11 PM
LXer: Preventing Brute Force Attacks With Fail2ban On OpenSUSE 10.3 LXer Syndicated Linux News 0 10-15-2007 03:50 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:11 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration