LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-28-2012, 01:31 PM   #1
aq_mishu
Member
 
Registered: Sep 2005
Location: Bangladesh
Distribution: RH 7.2, 8, 9, Fedora
Posts: 217

Rep: Reputation: 30
mail server security issue... can some body tell me what happened??


guys,
this is a part of my log file..
Code:
46.100.243.63   [00000578] Tue, 29 May 2012 00:09:07 +0600 <<< EHLO localhost
46.100.243.63   [00000578] Tue, 29 May 2012 00:09:07 +0600 >>> 250-mail.mydomain.com Hello localhost [46.100.243.63], pleased to meet you.
46.100.243.63   [00000578] Tue, 29 May 2012 00:09:10 +0600 <<< AUTH LOGIN
46.100.243.63   [00000578] Tue, 29 May 2012 00:09:10 +0600 >>> 334 VX2fqm5hbWU6
46.100.243.63   [00000578] Tue, 29 May 2012 00:09:11 +0600 <<< c6dj7y=
46.100.243.63   [00000578] Tue, 29 May 2012 00:09:11 +0600 >>> 334 UGFzc3dvcmQ6
46.100.243.63   [00000578] Tue, 29 May 2012 00:09:16 +0600 <<< MD4dqzX4NzU5XTU=
46.100.243.63   [00000578] Tue, 29 May 2012 00:09:16 +0600 >>> 235 2.0.0 Authentication successful
46.100.243.63   [00000578] Tue, 29 May 2012 00:09:16 +0600 <<< MAIL FROM:<rafiq@localhost>
46.100.243.63   [00000578] Tue, 29 May 2012 00:09:16 +0600 >>> 250 2.1.0 <rafiq@localhost>... Sender ok
46.100.243.63   [00000578] Tue, 29 May 2012 00:09:18 +0600 <<< RCPT TO:<vilmos01@yahoo.com>
46.100.243.63   [00000578] Tue, 29 May 2012 00:09:18 +0600 >>> 250 2.1.5 <vilmos01@yahoo.com>... Recipient ok; will forward
46.100.243.63   [00000578] Tue, 29 May 2012 00:09:19 +0600 <<< DATA
46.100.243.63   [00000578] Tue, 29 May 2012 00:09:19 +0600 >>> 354 Enter mail, end with "." on a line by itself
46.100.243.63   [00000578] Tue, 29 May 2012 00:09:20 +0600 *** <rafiq@localhost> <vilmos01@yahoo.com> 1 149 00:00:00 OK
46.100.243.63   [00000578] Tue, 29 May 2012 00:09:20 +0600 Message deleted by filter
46.100.243.63   [00000578] Tue, 29 May 2012 00:09:20 +0600 >>> 250 2.6.0 149 bytes received in 00:00:00; Message accepted for delivery
46.100.243.63   [00000578] Tue, 29 May 2012 00:09:21 +0600 <<< QUIT
46.100.243.63   [00000578] Tue, 29 May 2012 00:09:21 +0600 >>> 221 2.0.0 mail.mydomain.com closing connection
SYSTEM          [00000578] Tue, 29 May 2012 00:09:21 +0600 Disconnected
I found a guys is logging in to my server (the server is closed relay, not accepting SMTP CODES and telnet.). He is not using any user password and instead he is using this to login. Once authenticated, he is pretending that he is rafiq@localhost which is fake and then sending mail to someone@yahoo.com... now it is getting flooded here... finally I just made a content filter based on the source this currently it is blocking... but it's in this way, trying to get in and send mails... last time I also found that it is using this method to pretend anyone or even any one in my domain and then sending mails. Any ideas?? I mean what is this method of SMTP AUTH?? and how can i improve my SMTP security with SMTP auth too... note, my clients are using outlook, eudora, thunderbird... where I have to force outlook to authenticate in the way server is set... (now outlook is also trying to use this method instead of user name/password...)

Mishu~~
 
Old 05-29-2012, 04:24 AM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
Quote:
the server is closed relay, not accepting SMTP CODES and telnet.). He is not using any user password and instead he is using this to login
Incorrect. The are using a username and password that is valid for your mail system, probably through a telnet connection to port 25 (SMTP).
Quote:
46.100.243.63 [00000578] Tue, 29 May 2012 00:09:10 +0600 <<< AUTH LOGIN
46.100.243.63 [00000578] Tue, 29 May 2012 00:09:10 +0600 >>> 334 VX2fqm5hbWU6
This is an example of SMTP Authentication, or SMTP-AUTH. In this particular case it is making use of the challenge-response function and communicating the acceptance of NTLM.
In the authentication process, the user name and password are base64 encoded. See this page, which has an example converter.
You can see the successful results of their attempts here:
Code:
46.100.243.63   [00000578] Tue, 29 May 2012 00:09:16 +0600 <<< MD4dqzX4NzU5XTU=
46.100.243.63   [00000578] Tue, 29 May 2012 00:09:16 +0600 >>> 235 2.0.0 Authentication successful
This page here, has a good description of the process, including describing the what fields get encoded. I would suggest that you look at this page if nothing else.

In your particular case, it looks like the username and password, as decoded, are still hashed but ludicrously simple.

The first thing you need to do is change the passwords, and make sure you use good ones. I would also recommend that you REQUIRE TLS for your connections as someone may have simply logged in via non encrypted plain text from a public location and had their data sniffed. You can do this on the MTA end, and the users will need to make sure it is enabled on the client end. Let me re-iterate, require TLS, "I can't because of my clients" is NOT an acceptable answer as there is no excuse for them to be using a non encrypted connection.
 
1 members found this post helpful.
Old 05-31-2012, 03:04 AM   #3
aq_mishu
Member
 
Registered: Sep 2005
Location: Bangladesh
Distribution: RH 7.2, 8, 9, Fedora
Posts: 217

Original Poster
Rep: Reputation: 30
TLS is enabled... so far my system config says...

I know, the password was stolen... the user was using a very simple password and that was leacked...

i have changed the pass. now he is constantly trying but getting no luck...

the server is not accepting any telnet that i am sure.. i just did a telnet from my laptop using the "telnet mymaiserver.com 25" and that gave command unrecognized after the connection... that part is tested... if i disable telnet, then it will only listen from mail clients, but will not listed to any telnet CLI.

There was a settings tab said "Deny SMTP AUTH Command" and if I check it, it disables SMTP AUTH. but users have to use outlook, eudora and thunderbird and thus i have to turn it on.

Now, can somebody please tell me what are the (mode) smtp auth used by outlook, eudora, thunderbird? so far i know, outlook=ntlm, eudora=cram-md5 and thunderbird=??

i have to bind the server for these 3.

Mishu~
 
Old 05-31-2012, 04:17 AM   #4
nikmit
Member
 
Registered: May 2011
Location: Nottingham, UK
Distribution: Debian
Posts: 178

Rep: Reputation: 34
I am not sure how you can deny telnet access to port 25 on a working mail server... It is a TCP connection just like the one initiated by any other client, only the commands are supplied by a person and not software.

I use the following in iptables to rate limit brute force attempts:
-A INPUT -i eth1 -p tcp -m tcp --dport 25 -m connlimit --connlimit-above 1 -j LOG --log-prefix "SMTP_BRUTE: "
-A INPUT -i eth1 -p tcp -m tcp --dport 25 -m connlimit --connlimit-above 1 -j REJECT
-A INPUT -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT

When attempting a brute force attack people will try to open multiple paralel connections to the server to speed things up. This limits them to a single connection per source ip address at any one time, which should be enough for standard use but will slow down a hacker substantially and alert you about the attempt.
 
Old 05-31-2012, 04:33 AM   #5
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
Quote:
Originally Posted by aq_mishu View Post
TLS is enabled... so far my system config says...
I know, the password was stolen... the user was using a very simple password and that was leacked...
i have changed the pass. now he is constantly trying but getting no luck...
Consider using fail2ban. This will temporarily block their connections after a few failed attempts. The blockage is temporary so it won't cut off your real clients, but it will dramatically slow down his attempts to where he should lose interest.

Quote:
the server is not accepting any telnet that i am sure.. i just did a telnet from my laptop using the "telnet mymaiserver.com 25" and that gave command unrecognized after the connection... that part is tested... if i disable telnet, then it will only listen from mail clients, but will not listed to any telnet CLI.
This is incorrect. Whether or not you have telnet enabled on your server is irrelevant as they are not connecting to your telnet server. It really doesn't matter as the intruder could be using any number of methods including a script or program, telnet, netcat, etc. Connecting via telnet and getting "command unrecognized" means that you failed to give
the proper statement which should have been "ehlo <some domain information>" The links I provided in my previous post include instructions on how to manually test your system, INCLUDING STARTTLS.

Quote:
There was a settings tab said "Deny SMTP AUTH Command" and if I check it, it disables SMTP AUTH. but users have to use outlook, eudora and thunderbird and thus i have to turn it on.
You don't want to turn off SMTP auth. You need your clients to authenticate. The question is what methods you support and whether or not you "protect" them with TLS or allow them to pass unencrypted.
See this: http://en.wikipedia.org/wiki/SMTP_Authentication
then see this: http://en.wikipedia.org/wiki/Extended_SMTP
and finally see this: http://en.wikipedia.org/wiki/Simple_...Security_Layer

Quote:
Now, can somebody please tell me what are the (mode) smtp auth used by outlook, eudora, thunderbird? so far i know, outlook=ntlm, eudora=cram-md5 and thunderbird=??
The modes are NOT determined by the client. They are determined by the server. Outlook is just as capable of using PLAIN over TLS as it is of using ntlm. You do NOT need to support NTLM just because you have someone using Outlook.

You haven't mention what mail system you are using. If, for example, you are using Postfix it supports SASL through Dovecot or Cyrus plug ins. Dovecot only supports plain, not md5, not ntlm, etc, which is why you really need to use TLS with it.
Quote:
i have to bind the server for these 3.
No you don't. The fewer mechanisms you support the better off, but make sure that you are enforcing TLS. Note that there is a difference when it comes to mail between TLS (typically starttls) uses encryption over the standard email ports, while SSL designates special ports. The standard is going towards TLS over the default ports.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
citadel mail server security rhlnewbie Linux - Software 2 06-15-2011 05:19 PM
Best Enterprise Security Solution For Linux Web Server & Mail Server satishmali1983 Linux - Security 1 12-22-2009 09:08 PM
Hello every body, i'm using redhat linux I don't know about samba server any body seenas Linux - Newbie 2 07-04-2009 03:47 AM
Empty mail body moschitos Linux - Server 7 11-11-2008 11:23 AM
want to send value of variable in mail as a body of mail dningale Solaris / OpenSolaris 6 08-10-2008 08:54 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:04 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration