How possible/likely is a brute force attack on a Postfix mail server?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How possible/likely is a brute force attack on a Postfix mail server?
My client's mail server has been compromised. Someone has obtained the account - and has used it to send spam.
The password is 12 characters and quite 'strong' - a mix of lower and upper case letters, numbers and non character characters.
I assumed that the password was somehow 'sniffed' on his local network. But I have also seen a lot of brute force attempts - multiple LOGIN attempts failing.
Is is actually possible for a brute force attack to be successful? How likely is this.
Thanks
--Justin Wyllie
Last edited by justinwyllie; 07-08-2014 at 03:35 PM.
( If this is related to this earlier question of yours then I, with all due respect, strongly suggest you let somebody capable handle it. Five months simply is way too long. ) Note credentials can be leeched and spam can be sent in different ways. What's more computing makes conditions can be tested: true or false. There's no need for "thinking", "what ifs" or debating "likeliness": an investigation of user login database, processes, changed files, log files and client is in order. Would you like us to help you with that?
( If this is related to this earlier question of yours then I, with all due respect, strongly suggest you let somebody capable handle it. Five months simply is way too long. ) Note credentials can be leeched and spam can be sent in different ways. What's more computing makes conditions can be tested: true or false. There's no need for "thinking", "what ifs" or debating "likeliness": an investigation of user login database, processes, changed files, log files and client is in order. Would you like us to help you with that?
Any chance of answering the question rather than the superior tone? (I thought that was the point of forums such as these).
The poster is the same. (Well spotted). But the case is different. So, no, the server has not been sending out spam for 5 months. Well done for telling me that "credentials can be leached and spam can be sent in different ways". I would never have guessed. As far as "what ifs" I don't see any in my post. It is a serious computing question. People who do in fact know a great deal more about computing than myself spend a lot of time discussing matters such as length of passwords, how long it can take to crack one etc. It matters a great deal. Brute force attacks are common. That suggests to me that sometimes they are successful. Is this the case? What length of password might prevent this? (Of course I have researched other methods to stopping brute force attacks). My question is not as you appear to believe: a sort of random guessing because I haven't looked at the logs and started to analyse the details or know that that is the way to solve this problem (not the one from 5 months ago). I am genuinely interested. Do mail servers ever get successfully hacked as a result of brute force attacks? If anyone here would like to answer that I would be very interested. I'll go elsewhere if (as is quite likely) I need help with the specifics.
Thanks.
Last edited by justinwyllie; 07-08-2014 at 05:11 PM.
Unless the password is really easy to hack it's unlikely that it was brute forced. Like I suggested it's more likely that they obtained the authentication information either from another source that's been exploited and or are sending the email from an exploited software not directly thru authentication to the postfix server itself.
Sounds like a wordpress server that's been exploited.
Hi Ken
That's very useful. Can you tell me why you think that? I have seen connections being made from my client's network (I mean his office - which connects to the server) by what I believe to be the malware. But the server is full of WordPress sites with all kinds of exotic plugins. So that could well be part of it
Automated attacks/exploits on wordpress are the most common reason for the complaint you have. At least in my experience. Yes the plugins would allow them in quickly.
These are from maillog. There were loads of the LOGIN FAILED before this (represented by two dots).
The IP was that of my client's office. I read this as a series of login attempts, possibly guessing or part guessing the password. Then there is a success. There is one more failed login before the software has caught up with itself. Then, now it has the password, it fires up loads of client connections on different ports so as to be able to send as much spam as possible.
Is this a correct interpretation? But, if so; then surely the multiple failed attempts followed by a succesful one suggests some kind of dictionary attack? That threw me because as Ken has suggested only simple passwords are likely to be 'cracked' by a brute force attack. Secondly; given this if there is a connection to WordPress - what should I be looking for? How do we get from WordPress to this malware on my client's office computer?
Thanks again
Last edited by justinwyllie; 07-08-2014 at 05:27 PM.
Automated attacks/exploits on wordpress are the most common reason for the complaint you have. At least in my experience. Yes the plugins would allow them in quickly.
Thanks Ken for your extremely helpful suggestion. In a WordPress uploads directory I find all sorts of interesting things...
The trick, once you put me on the right track, was to use the mail.log configuration setting in PHP (available from >= 5.3.0) which logs all uses of the mail() function.
Now, as you say, the problem is plugging the hole.
1. Ok he got the password , he got the access. so password change and lot of manual modification in all configuration files can save us from catastrophic damage.
2. You are continuously getting brute-force attacks from the IP, block it using IPTables.
3. Your client must connect to some local/VPN network to access your server. you use IPTables and allow only that particular server to be accessed from those IP's only. So you can stop all access from unauthorized IP's even they know the password , they are not from authorized location. so no access.
4. Not only IP , you change the default port number also. You know all services have a default and attacks usually fall upon that port. If you change the port number then attack will sent to a port which is not running any services and you can close those ports.
so even he know credentials he cant do anything because to enter into your network he must know your network structure. what to ping and how to pong
Yes, I'd say that the logs you show have nothing to do with the server sending mail. The pop3 daemon is to receive mail not send. SMTP authentication may or may not be on.
Like I said it's a wordpress box that's been exploited. Isolate from the internet and cleanup or re-install and do not add any plugins or themes unless they are required, also keep up with updates/patches.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.