Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I believe I have things under control, but was wondering why anyone would try to hack/crack into an IMAP server? I have a server that gets many ‘unknown user’ attempts per hour. All one could do if successful is read/delete email messages. Why do they bother?
I’ve set up fail2ban to jail IPs after one failed attempt…for 24 hours. There are currently 224 jailed IPs…so 224 attempts in the last 24 hours.
I believe I have things under control, but was wondering why anyone would try to hack/crack into an IMAP server? I have a server that gets many ‘unknown user’ attempts per hour. All one could do if successful is read/delete email messages. Why do they bother?
I’ve set up fail2ban to jail IPs after one failed attempt…for 24 hours. There are currently 224 jailed IPs…so 224 attempts in the last 24 hours. Thoughts?
Depends on where you work as far as what they want to read...anything with user information that could be used for identity theft would be a good target, along with any banking info. Past that, they could be looking to use your IMAP server to shovel out spam messages, so that when YOU get banned/blocked/blacklisted, they just move to another server, leaving you to deal with the mess.
Or it is possible that your are experiencing random port scans, in which wannabe hackers keep trying doors hoping to find ones that are unlocked. They are extremely common.
The count dropped off to around 150, then crept back up to over 200. Just for fun, I’ve set the jail time to 10 days. Wonder how many IPs will be jailed in that time?
The hackers make two attempts in a minute with the same bogus user but from two different IP addresses. They do that every few minutes, averaging 10-12 attempts per hour. Since each IP is immediately jailed, they aren’t used (don’t get through) more than once. Has crept up to 300+ while composing this…
Why not rope off the server with libwrap so they can't even swing at it or do you have clients all over? All those attempts and blocks are still using resources. Plus, attackers rent out VPSs off large cloud providers nowadays. They dirty up an IP, and then move on quickly so your block-by-IP isn't doing much good. The days of one-IP-one-bad-guy ended 12 (or more) years ago. I'd be willing to bet most of them don't even have a domain name set and are from Linode or Digital Ocean.
Email username/password pairs are often sold in bulk on the darknet.
Why not rope off the server with libwrap so they can't even swing at it or do you have clients all over? All those attempts and blocks are still using resources. Plus, attackers rent out VPSs off large cloud providers nowadays. They dirty up an IP, and then move on quickly so your block-by-IP isn't doing much good. The days of one-IP-one-bad-guy ended 12 (or more) years ago. I'd be willing to bet most of them don't even have a domain name set and are from Linode or Digital Ocean.
Email username/password pairs are often sold in bulk on the darknet.
I don’t actually have any paying clients anymore, having just retired from the business of hosting domains and building applications.. There are only three active mail users on the server: me, my wife and one of our daughters, so yes, I could use tcp wrappers…although we all currently connect with dynamic IPs. Still, I know what those are, and have even configured fail2ban to never block them.
I do still host some family and “public service” websites, and am a domain registration reseller. I’m currently mulling over if and how best to continue these “hobbies.” Meantime I can tinker with things like jailing hundreds of IPs.
224 attempts in 24 hours is definitely a lot in numbers.
with Fail2ban, you are already making it hard for attackers to succeed. This will prevent attacks where someone keeps trying different passwords.
1. check if someone has a list of email addresses and passwords.
2. someone might be targeting your server for access
3. attacker might be looking for inactive email accounts
All one could do if successful is read/delete email messages. Why do they bother?
Because this is a massive issue, if they can read someone's e-mail messages they can read password reset e-mails / links / 2FA codes. Can also read any notifications they've had, so get a good guess at what services the person is signed up for.
Being able to read someone's e-mail messages is by far the biggest security risk in terms of identity theft.
Because this is a massive issue, if they can read someone's e-mail messages they can read password reset e-mails / links / 2FA codes. Can also read any notifications they've had, so get a good guess at what services the person is signed up for.
Being able to read someone's e-mail messages is by far the biggest security risk in terms of identity theft.
not to mention the case when they know you're on vacation and no one is home.
They can collect a huge amount of information from your mails, including accounts, cards, whatever is available. And they can also use your mail (communicate) instead of you.
While the chances of anyone breaking into one of your imap accounts, and then getting to actually use it for anything, is rather slim ...
It is possible that "they" are someone working for one of the spam-control lists, who is not so good or saintly. With their intent being that if they can break in at all, ever, they can exxagerate that your imap server has weak security making it some haven for spammers. And then quite-legally harass and extort you under the threat of spam filtering your whole email domain off the net.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.