LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-10-2013, 03:17 PM   #1
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Rep: Reputation: 0
Illegal exim2 login attempts


My server logs show many more failed attempts to login to exim2 than attempts at SSH.

What would they do if they succeeded? I'm guessing they could send email that appeared to come from us. Is that right? (CentOS, Dovecot on dedicated server)
 
Old 12-10-2013, 03:21 PM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
Yes, if they are able to guess a username / password combination, i,e. a valid set of login credentials, for your email system, they will be able to send mail via that account. Until you change the password, that is, but then they will still have half of the credentials (the name).

I would suggest trying fail2ban, which will monitor the log file and temporarily block their access to your server via IPTables. You can configure the number of login failures allowed and how long the ban period lasts. This is usually enough of a deterrent to cause the person or script making the attempt to go away.
 
1 members found this post helpful.
Old 12-10-2013, 03:40 PM   #3
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Original Poster
Rep: Reputation: 0
Lightbulb

Thanks Noway2.

There are only 3 usernames: admin, abuse, and one other. Abuse wouldn't make much sense to send from and all have different 17 char passwords.

Attempts are throttled to not more than 4 per minute by a conditional in iptables.

I monitor via logwatch and DirectAdmin Brute force monitor, and block via iptables if any of the fiends are very persistent.

So I think we're safe but I was curious why they so much want to do this.
 
  


Reply

Tags
dovecot, exim


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] How to edit Login Script For 3 login attempts only? IS it Possible. face123k Ubuntu 4 02-11-2013 04:12 AM
failed login attempts smilemukul Linux - Newbie 7 12-16-2010 12:46 PM
SSH login attempts Capt_Caveman Linux - Security 225 11-07-2009 09:55 AM
Prevent Login by IP address / limit login attempts / remedial IP tables question whiskey06 Linux - Security 5 04-26-2009 03:48 AM
Login attempts phatboyz Linux - Security 1 10-11-2004 01:57 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:25 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration