[Dovecot] POP3 dictionary attacks
I'm seeing strings of failed POP3 login attempts with obvious bogus usernames coming from different IP addresses. Today's originated from 216.31.146.19 (which resolves to neovisionlabs.com). This looks like a botnet attack. I got a similar probe a couple days ago. Is anyone else seeing these?
The attack involves trying about 20 different names, about 3-4 seconds apart. Here's a few sample log lines:
dovecot: Aug 15 04:15:45 Error: auth-worker(default): pam(mike,216.31.146.19): pam_authenticate() failed: User not known to the underlying authentication module dovecot: Aug 15 04:15:49 Error: auth-worker(default): pam(alan,216.31.146.19): pam_authenticate() failed: User not known to the underlying authentication module dovecot: Aug 15 04:15:53 Error: auth-worker(default): pam(info,216.31.146.19): pam_authenticate() failed: User not known to the underlying authentication module dovecot: Aug 15 04:15:57 Error: auth-worker(default): pam(shop,216.31.146.19): pam_authenticate() failed: User not known to the underlying authentication module
Timo, can you add the port used in the attempt to the error log entry? (It does show up in the info log entry, but that means I need to correlate lines in the two log files.)
On 8/15/2008, Kenneth Porter (shiva@sewingwitch.com) wrote:
I'm seeing strings of failed POP3 login attempts with obvious bogus usernames coming from different IP addresses. Today's originated from 216.31.146.19 (which resolves to neovisionlabs.com). This looks like a botnet attack. I got a similar probe a couple days ago. Is anyone else seeing these?
You're kidding, right?
Dictionary attacks are a fact of life these days.
Just install some kind of blocking on your firewall (fail2ban is a good one), and let it take care of the worst of it...
--
Best regards,
Charles
Charles Marcus wrote:
Dictionary attacks are a fact of life these days.
Just install some kind of blocking on your firewall (fail2ban is a good one), and let it take care of the worst of it..
I wonder what they want by cracking a POP3 server. Read the user's mails? It's true POP3 passwords are almost always equal to SMTP ones (which is useful for spamming), but then why not try to crack the SMTP server directly?
-- The bomb will never go off. I speak as an expert in explosives. -- Admiral William Leahy, U.S. Atomic Bomb Project
Eduardo M KALINOWSKI eduardo@kalinowski.com.br http://move.to/hpkb
Eduardo M KALINOWSKI wrote:
Charles Marcus wrote:
Dictionary attacks are a fact of life these days.
Just install some kind of blocking on your firewall (fail2ban is a good one), and let it take care of the worst of it..
I wonder what they want by cracking a POP3 server. Read the user's mails? It's true POP3 passwords are almost always equal to SMTP ones (which is useful for spamming), but then why not try to crack the SMTP server directly?
There may not be anything interesting in the user's inbox initially, but there might be after the attacker starts sending password reminders from eBay, Paypal, etc.
On Fri, Aug 15, 2008 at 06:43:30PM -0300, Eduardo M KALINOWSKI wrote:
Charles Marcus wrote:
Dictionary attacks are a fact of life these days.
Just install some kind of blocking on your firewall (fail2ban is a good one), and let it take care of the worst of it..
I wonder what they want by cracking a POP3 server. Read the user's mails? It's true POP3 passwords are almost always equal to SMTP ones (which is useful for spamming), but then why not try to crack the SMTP server directly?
One reason is so that they can get SMTP AUTH information and then sell the username/password pairs to spammers.
Open relays are much more rare nowadays, so having a legitimate pre-existing account that can be used for outbound spam is worth much more than opening a new hotmail or gmail account. Especially through smaller ISPs that may not have adequate outbound mail rate-limits in place.
A single hijacked mail account through a small ISP without rate-limits can be used to send an incredible amount of spam before it's caught.
-- Dean Brooks dean@iglou.com
On Aug 15, 2008, at 5:39 PM, Charles Marcus wrote:
You're kidding, right?
Dictionary attacks are a fact of life these days.
Just install some kind of blocking on your firewall (fail2ban is a
good one), and let it take care of the worst of it...
fail2ban will not work for this as the incoming ip addresses are
spoofed. fail2ban would end up blocking legitimate servers.
B. Bodger
On Aug 15, 2008, at 5:39 PM, Charles Marcus wrote:
You're kidding, right?
Dictionary attacks are a fact of life these days.
Just install some kind of blocking on your firewall (fail2ban is a
good one), and let it take care of the worst of it...
fail2ban will not work for this as the incoming ip addresses are
spoofed. fail2ban would end up blocking legitimate servers.
B. Bodger
--On Friday, August 15, 2008 5:51 PM -0400 Bruce Bodger bruce.bodger@demval.com wrote:
fail2ban will not work for this as the incoming ip addresses are spoofed. fail2ban would end up blocking legitimate servers.
How do you spoof a source address on a TCP connection? I was unaware that was possible. How would replies know how to get back to the spoofing host? At best, you can spoof another host on your own routed segment. Unless you have control of the routing tables on the connecting routers, of course.
Kenneth Porter wrote:
--On Friday, August 15, 2008 5:51 PM -0400 Bruce Bodger
wrote: fail2ban will not work for this as the incoming ip addresses are spoofed. fail2ban would end up blocking legitimate servers.
How do you spoof a source address on a TCP connection? I was unaware that was possible. How would replies know how to get back to the spoofing host? At best, you can spoof another host on your own routed segment. Unless you have control of the routing tables on the connecting routers, of course.
Exactly. These days, IP spoofing is most useful to hide the identity of the perpetrator of a DoS attack. It certainly is not applicable to a dictionary attack on POP3 or other logins since with a spoofed IP, the perpetrator will never see the response to determine if the login attempt was successful.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Bruce Bodger wrote:
On Aug 15, 2008, at 5:39 PM, Charles Marcus wrote:
You're kidding, right?
Dictionary attacks are a fact of life these days.
Just install some kind of blocking on your firewall (fail2ban is a good one), and let it take care of the worst of it...
just make sure to get the expressions right.
fail2ban will not work for this as the incoming ip addresses are spoofed. fail2ban would end up blocking legitimate servers.
It doesn't matter. if a tcp attack involves a (remote) IP, you can block that IP (for some period of time). there's nothing else you can do unless you're ready to let it test all possible login:password pairs until it succeeds.
in particular, if this is an asymetric routing attack, then the attacker has some control of the remote IP or of its network. in which case, the IP is "dirty".
as for tcp hijacking, this is not so simple, and if it becomes easy, then we have a more serious problem than pop or smtp security...
On Friday, August 15, 2008 5:39 PM -0400 Charles Marcus CMarcus@Media-Brokers.com wrote:
Just install some kind of blocking on your firewall (fail2ban is a good one), and let it take care of the worst of it...
Thanks, researching it now....
Looks like an RPM might be available for CentOS 5. There's a HOWTO here for configuring it with iptables:
participants (9)
-
Bruce Bodger
-
Bruce Bodger
-
Charles Marcus
-
Dean Brooks
-
Eduardo M KALINOWSKI
-
Kenneth Porter
-
Mark Sapiro
-
Michael Orlitzky
-
mouss