Preventing postfix from being hacked

NotionCommotion · 10-28-2016, 12:43 PM

I am getting thousands of messages similar to those below in /var/log/maillog. Looks like someone is trying to hack me, but I am not sure. What do you think is happening? What could I do to figure it out, and if a hack, what can I do to prevent it?

Code:

Oct 28 09:33:08 devserver postfix/error[11544]: D1D4920105A: to=<fail2ban@example.com>, relay=none, delay=0.09, delays=0.06/0/0/0.04, dsn=4.7.8, status=deferred (delivery temporarily suspended: SASL authentication failed; server smtp.gmail.com[173.194.202.108] said: 535-5.7.8 Username and Password not accepted. Learn more at?535 5.7.8  https://support.google.com/mail/?p=BadCredentials h9sm5513927paw.18 - gsmtp)
Oct 28 09:33:11 devserver postfix/smtp[11506]: 52CB9200538: SASL authentication failed; server smtp.gmail.com[173.194.202.108] said: 535-5.7.8 Username and Password not accepted. Learn more at?535 5.7.8  https://support.google.com/mail/?p=BadCredentials a78sm20048591pfj.44 - gsmtp
Oct 28 09:33:12 devserver postfix/smtp[11506]: 52CB9200538: to=<you@example.com>, relay=smtp.gmail.com[173.194.202.109]:587, delay=47066, delays=47061/0.1/5.8/0, dsn=4.7.8, status=deferred (SASL authentication failed; server smtp.gmail.com[173.194.202.109] said: 535-5.7.8 Username and Password not accepted. Learn more at?535 5.7.8  https://support.google.com/mail/?p=BadCredentials g27sm4254884pfj.46 - gsmtp)

business_kid · 10-29-2016, 10:40 AM

You have put up very little information.
On the snippet you provided, It looks like someone is using your box as a relay. Now I know next to nothing about your server, and I suspect you may have the same problem.
Things you can do are: Restrict who can send mail, change passwords to secure ones; increase logging of everything to debug level; update any programs that are running; and go to town tightening up on permissions; make sure nobody can send mail except who you want.

Then you can sort out who the (expletive deleted) is sending these barrages of mail and nobble their account, if they're a user. Act smartly or you'll find yourself on spamhaus.org and your legit email will be bounced.

NotionCommotion · 10-30-2016, 08:44 AM

Thank you Business Kid for your reply.

Sorry, I know I didn't give you much, but didn't know where to start. Good news is no one is using my email server. Bad news is I am getting thousands of SSH break in attempts. Looked at some of the emails, and they are generated by failtoban trying to send out an email, but I must not have configured something correctly.

Code:

*** ENVELOPE RECORDS maildrop/32BED200349 ***
message_arrival_time: Sun Oct 30 05:31:07 2016
named_attribute: rewrite_context=local
sender_fullname: root
sender: fail2ban@example.com
recipient: you@example.com
*** MESSAGE CONTENTS maildrop/32BED200349 ***
regular_text: Subject: [Fail2Ban] SSH: banned 221.229.172.71 from devserver.michaels.lan
regular_text: Date: Sun, 30 Oct 2016 05:31:07 -0700
regular_text: From: Fail2Ban <fail2ban@example.com>
regular_text: To: you@example.com
regular_text:
regular_text: Hi,
regular_text:
regular_text: The IP 221.229.172.71 has just been banned by Fail2Ban after
regular_text: 5 attempts against SSH.
regular_text:
regular_text:
regular_text: Here is more information about 221.229.172.71 :
regular_text:
regular_text: missing whois program
regular_text:
regular_text: Regards,
regular_text:
unterminated_text: Fail2Ban
*** HEADER EXTRACTED maildrop/32BED200349 ***
*** MESSAGE FILE END maildrop/32BED200349 ***
[root@devserver ~]#

Habitual · 10-30-2016, 07:01 PM

Check your ssh jail for directives such as

Code:

sendmail-whois

and/or

Code:

sendmail-whois-lines

where sender=fail2ban@example.com]

You customized your ssh jail, yes? The name is non-standard/default.

Rem those out.
bounce fail2ban.
Check for mail "noise"