[SOLVED] Postfix/SMTPD brute force attack

ScottG · 09-14-2013, 10:17 AM

For over 24 hours now, my CentOS6 server has been bombarded with the following Postfix connections. There are thousands of these log entries. I have set up Fail2ban and this has now banned over 10000 IPs and this has only slowed it down slightly :-(

I'm fairly certain my server is still secure but would like to know what is happening. I also don't know if it is a large botnet (10000+ IPs banned so far and still going!) or if the IPs are spoofed. If it is the latter then I assume Fail2ban is not going to achieve anything as they will just spoof another random address?

My question is, what is this trying to achieve? And how can I stop it?

Thanks in advance for any help.

Logfile snippet:

Code:

Sep 14 11:37:19 myservername  postfix/smtpd[14623]: lost connection after UNKNOWN from unknown[182.189.132.235]
    Sep 14 11:37:19 myservername  postfix/smtpd[14623]: disconnect from unknown[182.189.132.235]
    Sep 14 11:37:21 myservername  postfix/smtpd[6810]: lost connection after UNKNOWN from unknown[46.224.255.79]
    Sep 14 11:37:21 myservername  postfix/smtpd[6810]: disconnect from unknown[46.224.255.79]
    Sep 14 11:37:22 myservername  postfix/smtpd[7709]: connect from unknown[46.224.255.79]
    Sep 14 11:37:26 myservername  postfix/smtpd[19646]: connect from unknown[188.245.175.140]
    Sep 14 11:37:29 myservername  postfix/smtpd[19634]: connect from unknown[2.185.92.51]
    Sep 14 11:37:29 myservername  postfix/smtpd[7709]: lost connection after UNKNOWN from unknown[46.224.255.79]
    Sep 14 11:37:29 myservername  postfix/smtpd[7709]: disconnect from unknown[46.224.255.79]
    Sep 14 11:37:32 myservername  postfix/smtpd[19646]: lost connection after UNKNOWN from unknown[188.245.175.140]
    Sep 14 11:37:32 myservername  postfix/smtpd[19646]: disconnect from unknown[188.245.175.140]
    Sep 14 11:37:33 myservername  postfix/smtpd[63325]: connect from unknown[117.195.86.187]
    Sep 14 11:37:35 myservername  postfix/smtpd[14623]: connect from ppp-115-87-13-125.revip4.asianet.co.th[115.87.13.125]
    Sep 14 11:37:35 myservername  postfix/smtpd[19634]: lost connection after UNKNOWN from unknown[2.185.92.51]
    Sep 14 11:37:35 myservername  postfix/smtpd[19634]: disconnect from unknown[2.185.92.51]
    Sep 14 11:37:39 myservername  postfix/smtpd[63325]: lost connection after UNKNOWN from unknown[117.195.86.187]
    Sep 14 11:37:39 myservername  postfix/smtpd[63325]: disconnect from unknown[117.195.86.187]
    Sep 14 11:37:40 myservername  postfix/smtpd[14623]: lost connection after CONNECT from ppp-115-87-13-125.revip4.asianet.co.th[115.87.13.125]
    Sep 14 11:37:40 myservername  postfix/smtpd[14623]: disconnect from ppp-115-87-13-125.revip4.asianet.co.th[115.87.13.125]
    Sep 14 11:37:46 myservername  postfix/smtpd[6810]: connect from unknown[37.255.61.201]

unSpawn · 09-15-2013, 05:06 AM

Quote:

Originally Posted by ScottG

how can I stop it?

In essence you can't stop it since you don't control remote hosts. What you can do is:
- not run a public MTA if you don't really need to,
- expose your MTA only to certain subnets if it's used by a select set of users,
- ensure Postfix runs with all the common reject_rbl_client RBLs and common anti spam settings,
- limit the maximum amount of new connections per minute in the firewall,
- performance-wise reconfigure fail2ban to use ipset in the raw table PREROUTING chain instead of having it pollute the default filter table INPUT chain with rules.

ScottG · 09-16-2013, 01:38 PM

Update:

I have now discovered that one of the websites on the same server is being attacked as well. From what I can gather they are posting variables to the default webpage in the hope of tripping across an undeclared variable - does that seem about right? (see logfile snippet below). The website has register_globals off and all variables are declared so I *think* it is safe from this type of attack? Unless anyone knows otherwise? The server is fully up to date so I am hoping that it OK from this and the above attack but it is still a worry when an attack is so sustained!

I have had to turn off fail2ban as it was using more resources blocking the IPs than the attack itself - this became apparent when the number of blocked IPs got above 22,000 and the server started having memory issues! And both attacks had barely slowed! - thanks to unSpawn for the suggestions. I am going through those now. I can see how to use ipset but struggling with the PREROUTING side of the rule? Do I need to amend the action sections in action.d/iptables-ipset-proto4.conf or am I way off track? (I have tried to Google it but the only mentions I can find of fail2ban + PREROUTING is your post from elsewhere on this forum)

The server is only a couple of months old and doesn't host anything worth hacking so I assume they are just trying to add it to the collective? Either that or I pissed off some serious hacker somewhere!

What are peoples experience with attacks like this? Do they eventually move on or do they just keep on going until they find an exploit? It has now been going for well over 48 hours and showing no signs of slowing :-(

Also, I am not very up on hacking but it seems to me that this is not a botnet as the attack comes in a steady stream and not in waves and floods as I assume it would if coming from lots of different machines? So is it possible this is just one (or just a few machines) that are spoofing their IP?

Sorry for all the questions - just trying to get a better handle on the situation.

Apache logfile snippet:

Code:

5.250.8.229 - - [16/Sep/2013:18:21:57 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
188.245.184.114 - - [16/Sep/2013:18:21:57 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
190.186.101.240 - - [16/Sep/2013:18:21:58 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
197.207.28.35 - - [16/Sep/2013:18:21:58 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
41.113.74.117 - - [16/Sep/2013:18:21:59 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
114.79.18.146 - - [16/Sep/2013:18:21:58 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
78.162.240.22 - - [16/Sep/2013:18:22:00 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
178.217.30.206 - - [16/Sep/2013:18:22:00 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
101.63.154.142 - - [16/Sep/2013:18:21:57 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
186.5.57.196 - - [16/Sep/2013:18:22:00 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
46.172.187.242 - - [16/Sep/2013:18:22:01 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
188.245.184.114 - - [16/Sep/2013:18:22:01 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
213.108.202.218 - - [16/Sep/2013:18:22:02 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
41.107.188.67 - - [16/Sep/2013:18:22:01 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
188.245.242.37 - - [16/Sep/2013:18:21:59 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
115.78.132.139 - - [16/Sep/2013:18:22:03 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
190.131.57.118 - - [16/Sep/2013:18:22:03 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
201.141.216.12 - - [16/Sep/2013:18:22:04 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
187.131.141.46 - - [16/Sep/2013:18:22:05 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
159.224.246.56 - - [16/Sep/2013:18:22:06 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

unSpawn · 09-17-2013, 04:43 PM

Sorry for the late reply.

Quote:

Originally Posted by ScottG

I *think* it is safe from this type of attack? Unless anyone knows otherwise?

Kind of depends what software is running in the web stack? Check software for the latest versions first I'd say and don't exclude 3rd party plugins, themes etc, etc.

Quote:

Originally Posted by ScottG

I can see how to use ipset but struggling with the PREROUTING side of the rule? Do I need to amend the action sections in action.d/iptables-ipset-proto4.conf or am I way off track?

Yes, you should change the "iptables -I INPUT" and "iptables -I INPUT" to "iptables -t raw -I PREROUTING" and "iptables -t raw -D PREROUTING".

Quote:

Originally Posted by ScottG

The server is only a couple of months old and doesn't host anything worth hacking so I assume they are just trying to add it to the collective? Either that or I pissed off some serious hacker somewhere!

I wouldn't read anything into it: mostly these are just "dumb" scripts trying to pick low hanging fruit.

Quote:

Originally Posted by ScottG

What are peoples experience with attacks like this? Do they eventually move on or do they just keep on going until they find an exploit? It has now been going for well over 48 hours and showing no signs of slowing :-(

Yes, they usually move on.

Quote:

Originally Posted by ScottG

Also, I am not very up on hacking but it seems to me that this is not a botnet as the attack comes in a steady stream and not in waves and floods as I assume it would if coming from lots of different machines? So is it possible this is just one (or just a few machines) that are spoofing their IP?

Not enough nfo.

Quote:

Originally Posted by ScottG

Sorry for all the questions - just trying to get a better handle on the situation.

Asking questions is always good.

ScottG · 09-17-2013, 04:48 PM

Thanks once again unSpawn - awesome stuff! So glad I found this forum.