[Dovecot] dovecot dictionary attacks
Hi, I been using dovecot for awhile and its been solid, however I been having some issues with dictionary attacks.
I installed fail2ban and for the most part is working fine. However today I got another spammer relaying through my server.
Looking at the logs I see the following dictonary attack from 94.242.206.37
Nov 10 03:04:38 pop dovecot: pop3-login: Disconnected: rip=94.242.206.37, lip=209.213.66.10
Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH 1 PLAIN service=POP3 lip=209.213.66.10 rip=94.242.206.37 resp=<hidden>
Nov 10 03:04:38 pop dovecot: auth(default): shadow(aarhus,94.242.206.37): lookup
Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH 1 PLAIN service=POP3 lip=209.213.66.10 rip=94.242.206.37 resp=<hidden>
Nov 10 03:04:38 pop dovecot: auth(default): shadow(abaft,94.242.206.37): lookup
Nov 10 03:04:38 pop dovecot: auth(default): shadow(abaft,94.242.206.37): unknown user
Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH 1 PLAIN service=POP3 lip=209.213.66.10 rip=94.242.206.37 resp=<hidden>
Nov 10 03:04:38 pop dovecot: auth(default): shadow(aarhus,94.242.206.37): unknown user
Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH 1 PLAIN service=POP3 lip=209.213.66.10 rip=94.242.206.37 resp=<hidden>
Nov 10 03:04:38 pop dovecot: auth(default): shadow(aaron,94.242.206.37): lookup
Nov 10 03:04:38 pop dovecot: auth(default): shadow(aaron,94.242.206.37): unknown user
Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH 1 PLAIN service=POP3 lip=209.213.66.10 rip=94.242.206.37 resp=<hidden>
Nov 10 03:04:38 pop dovecot: auth(default): shadow(ababa,94.242.206.37): lookup
..... And so on..
Then that ip gets banned by fail2ban
[root@pop ~]# grep 94.242.206.37 /var/log/fail2ban.log
2010-11-10 03:04:42,416 fail2ban.actions: WARNING [dovecot] Ban 94.242.206.37
However on my smtp mail server that ip is already sending out all sorts of spam with the sasl username of Paramus. This username Paramus never shows up on the dovevot dictionary attack, as a matter of fact the user Paramus is nowhere to be found on the dovecot log at all and I have logs going back months.
Does anyone have any idea what could of happened here. I mean if the user/passwd was already harvested by 94.242.206.37 why would they bother to start another dict. attack.
I'm just not sure how they guess the username/password as its not on any logs that goes back months and I don't have a dovecot record for that user.
/var/log/maillog:Nov 10 02:46:16 mrelay3 postfix/smtpd[27776]: 3B64928015: client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus
/var/log/maillog:Nov 10 02:47:54 mrelay3 postfix/smtpd[27776]: 247AB28016: client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus
/var/log/maillog:Nov 10 02:48:00 mrelay3 postfix/smtpd[27785]: 87DE128016: client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus
/var/log/maillog:Nov 10 02:56:00 mrelay3 postfix/smtpd[27792]: 9728628015: client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus
/var/log/maillog:Nov 10 03:05:38 mrelay3 postfix/smtpd[27808]: D529F28015: client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus
/var/log/maillog:Nov 10 03:06:00 mrelay3 postfix/smtpd[27808]: DDF7C2801B: client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=Paramus
Any help would be appreciated.
paul
On 10.11.2010, at 23.03, PA wrote:
However on my smtp mail server that ip is already sending out all sorts of spam with the sasl username of Paramus. This username Paramus never shows up on the dovevot dictionary attack, as a matter of fact the user Paramus is nowhere to be found on the dovecot log at all and I have logs going back months.
I'm just not sure how they guess the username/password as its not on any logs that goes back months and I don't have a dovecot record for that user.
Well, probably obvious, but since you didn't explicitly say: You have configured Postfix to use Dovecot for authentication, not Cyrus SASL, right?..
Timo,
Yes postfix is configured for SASL so the spammer ip was able to relay email after it obtained the account info. My concern is how the spammer got the user/pass in the 1st place since nowhere on the dovecot logs do I see that particular user attempting to login with the wrong/correct password etc. I should be able to see all login attempts correct if the user/pass was obtained through a dict. attack? Is that's the case then most likely the user/password was obtained from the user's PC and not guessed on the mail server. I am trying to make sense of what happened and to make sure im not overlooking something on dovecot.
-----Original Message----- From: Timo Sirainen [mailto:tss@iki.fi] Sent: Wednesday, November 10, 2010 8:22 PM To: PA Cc: dovecot@dovecot.org Subject: Re: [Dovecot] dovecot dictionary attacks
On 10.11.2010, at 23.03, PA wrote:
However on my smtp mail server that ip is already sending out all sorts of spam with the sasl username of Paramus. This username Paramus never shows up on the dovevot dictionary attack, as a matter of fact the user Paramus is nowhere to be found on the dovecot log at all and I have logs going back months.
I'm just not sure how they guess the username/password as its not on any logs that goes back months and I don't have a dovecot record for that user.
Well, probably obvious, but since you didn't explicitly say: You have configured Postfix to use Dovecot for authentication, not Cyrus SASL, right?..
On 11.11.2010, at 17.57, PA wrote:
Yes postfix is configured for SASL so the spammer ip was able to relay email after it obtained the account info.
Postfix supports Cyrus SASL and Dovecot SASL. You didn't specify which one..
My concern is how the spammer got the user/pass in the 1st place since nowhere on the dovecot logs do I see that particular user attempting to login with the wrong/correct password etc. I should be able to see all login attempts correct if the user/pass was obtained through a dict. attack? Is that's the case then most likely the user/password was obtained from the user's PC and not guessed on the mail server. I am trying to make sense of what happened and to make sure im not overlooking something on dovecot.
Yes, all login attempts via Dovecot are logged, but only if you have auth_verbose=yes.
If your Postfix authentications went through Cyrus SASL, then I don't know what it logs.
participants (2)
-
PA
-
Timo Sirainen