[Dovecot] 64.31.19.48 attempt to break into my computer
From my secure log:
Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48 Sep 19 01:16:44 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user aaron Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48 Sep 19 01:16:45 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user abby
etc. Literally, 30,000 user names attempted.
rick baartman
TRIUMF 4004 Wesbrook Mall Vancouver, BC V6T2A3
On 2011-09-19 1:05 PM, Rick Baartman baartman@lin12.triumf.ca wrote:
From my secure log:
Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48 Sep 19 01:16:44 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user aaron Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48 Sep 19 01:16:45 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user abby
etc. Literally, 30,000 user names attempted.
Dictionaryt attacks are quite common, nothing new here...
fail2ban is what I use, would have killed this one (since it's from the same IP) almost immediately...
It doesn't work so well with sophisticated bots that can change IPs at will, but the secondary method of locking out an account after X number of failed auth attempts will eliminate the risk of a focused attack on a single account, so as long as you are using strong passwords, your system is secure (from these kinds of attacks, at least).
The only attack I haven't figured out how to eliminate is the social/phishing attack, where $DumbUser gives out their username password voluntarily... although I have been considering faking a phishing attack on my own users, and flagging the ones who fall for it for training.
--
Best regards,
Charles
On 22/09/11 15:08, Charles Marcus wrote:
The only attack I haven't figured out how to eliminate is the social/phishing attack, where $DumbUser gives out their username password voluntarily... although I have been considering faking a phishing attack on my own users, and flagging the ones who fall for it for training.
The University I work at was suffering from this a *lot*. Phishers kept contacting our users pretending to be from our IT helpdesk asking users to reply with their login details so that their mailbox could be refreshed or so their quota could be fixed and other such things.
So I developed an application that sits on our outgoing mail routers looking for login credentials inside emails. If it finds any, it blackholes the email and sends an autoresponse to the sender telling them to never ever send login details via email under any circumstances. It Cc's me in too, and it catches people emailing their logins around on a *daily* basis.
Our usernames follow a very strict format, and we have a pretty strict password policy so what my program does is pull out a list of all the *possible* usernames and passwords and then attempts to authenticate against our AD using them.
I built it into a framework so other people can use it:
http://kochi.lboro.ac.uk/kochi1.html
You need to know how to write Perl though in order to use it. It's not plug and play.
We also added ratelimiting to our outgoing mail, and a system which alerts us whenever anyone hits the limit. If it takes a phisher 2000 spams to get access to one account, but that one account only allows the phisher to send 1000 spams, then it completely destroys the point of what they're doing.
-- Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
- Mike Cardwell dovecot@lists.grepular.com:
The University I work at was suffering from this a *lot*. Phishers kept contacting our users pretending to be from our IT helpdesk asking users to reply with their login details so that their mailbox could be refreshed or so their quota could be fixed and other such things.
Same here.
So I developed an application that sits on our outgoing mail routers looking for login credentials inside emails. If it finds any, it blackholes the email and sends an autoresponse to the sender telling them to never ever send login details via email under any circumstances. It Cc's me in too, and it catches people emailing their logins around on a *daily* basis.
clamav is supposed to be capable of that functionality
Our usernames follow a very strict format, and we have a pretty strict password policy so what my program does is pull out a list of all the *possible* usernames and passwords and then attempts to authenticate against our AD using them.
Ah! That's a nice idea.
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | http://www.charite.de
On 22/09/11 15:21, Ralf Hildebrandt wrote:
The University I work at was suffering from this a *lot*. Phishers kept contacting our users pretending to be from our IT helpdesk asking users to reply with their login details so that their mailbox could be refreshed or so their quota could be fixed and other such things.
Same here.
So I developed an application that sits on our outgoing mail routers looking for login credentials inside emails. If it finds any, it blackholes the email and sends an autoresponse to the sender telling them to never ever send login details via email under any circumstances. It Cc's me in too, and it catches people emailing their logins around on a *daily* basis.
clamav is supposed to be capable of that functionality
Our usernames follow a very strict format, and we have a pretty strict password policy so what my program does is pull out a list of all the *possible* usernames and passwords and then attempts to authenticate against our AD using them.
Ah! That's a nice idea.
Perhaps, if you have a list of the plain text passwords in advance you could use ClamAV. In our case, we don't as we're using an AD. I actually copied the ClamAV tcp and local interface API so that any MTA which can plug in to ClamAV is also able to plug into Kochi. That's one of the things the framework provides.
-- Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
Perhaps, if you have a list of the plain text passwords in advance you could use ClamAV.
No, clamav is supposed to find stuff that looks like "social security numbers". It's probably harder with usernames (especially if the username is by chance a real word)
In our case, we don't as we're using an AD. I actually copied the ClamAV tcp and local interface API so that any MTA which can plug in to ClamAV is also able to plug into Kochi. That's one of the things the framework provides.
WOW!
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | http://www.charite.de
Quoting Mike Cardwell dovecot@lists.grepular.com:
On 22/09/11 15:21, Ralf Hildebrandt wrote:
Perhaps, if you have a list of the plain text passwords in advance you could use ClamAV. In our case, we don't as we're using an AD. I actually copied the ClamAV tcp and local interface API so that any MTA which can plug in to ClamAV is also able to plug into Kochi. That's one of the things the framework provides.
There are additional 'non-official' ClamAV signatures that are meant
to detect phishing attempts.
They do work, but aren't perfect.
I'm fortunate enough to be on the phishing list, so I wrote a quickie
perl script that will grep the logs for all the recipients and then
scan their INBOX for the phishing email and remove it before they read
it.
Rick
- Rick Romero rick@havokmon.com:
There are additional 'non-official' ClamAV signatures that are meant to detect phishing attempts. They do work, but aren't perfect.
Got a link? Or are you thinking of the SaneSecurity Signatures?
I'm fortunate enough to be on the phishing list, so I wrote a quickie perl script that will grep the logs for all the recipients and then scan their INBOX for the phishing email and remove it before they read it.
I usually use doveadm for this.
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | http://www.charite.de
Quoting Ralf Hildebrandt Ralf.Hildebrandt@charite.de:
- Rick Romero rick@havokmon.com:
There are additional 'non-official' ClamAV signatures that are meant to detect phishing attempts. They do work, but aren't perfect.
Got a link? Or are you thinking of the SaneSecurity Signatures?
Yep. The SaneSecurity Sigs.
I'm fortunate enough to be on the phishing list, so I wrote a quickie perl script that will grep the logs for all the recipients and then scan their INBOX for the phishing email and remove it before they read it.
I usually use doveadm for this.
I'm slow to adopting new technology :) I would definitely do it if I
wasn't still running plain old Maildir.
Rick
- Rick Romero rick@havokmon.com:
I usually use doveadm for this.
I'm slow to adopting new technology :) I would definitely do it if I wasn't still running plain old Maildir.
It's working on plain old Maildir :)
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | http://www.charite.de
On 22/09/11 15:39, Rick Romero wrote:
There are additional 'non-official' ClamAV signatures that are meant to detect phishing attempts. They do work, but aren't perfect.
Got a link? Or are you thinking of the SaneSecurity Signatures?
Yep. The SaneSecurity Sigs.
We do use ClamAV+SaneSecurity on incoming email, but these are *very* targetted phishing attacks, and lots of them manage to get through. The Kochi application that I brought up sits on the *outgoing* mail routers and prevents people sending out their login details once they've been tricked.
-- Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
Am 22.09.2011 16:42, schrieb dovecot@lists.grepular.com:
On 22/09/11 15:39, Rick Romero wrote:
There are additional 'non-official' ClamAV signatures that are meant to detect phishing attempts. They do work, but aren't perfect.
Got a link? Or are you thinking of the SaneSecurity Signatures?
Yep. The SaneSecurity Sigs.
We do use ClamAV+SaneSecurity on incoming email, but these are *very* targetted phishing attacks, and lots of them manage to get through. The Kochi application that I brought up sits on the *outgoing* mail routers and prevents people sending out their login details once they've been tricked.
yes youre right, after all this isnt really dovecot related wasnt the orginal topic about brute force pop/imap attack ?
Best Regards
MfG Robert Schetterer
Germany/Munich/Bavaria
Am 22.09.2011 16:36, schrieb Ralf Hildebrandt:
- Rick Romero rick@havokmon.com:
There are additional 'non-official' ClamAV signatures that are meant to detect phishing attempts. They do work, but aren't perfect.
Got a link? Or are you thinking of the SaneSecurity Signatures?
I'm fortunate enough to be on the phishing list, so I wrote a quickie perl script that will grep the logs for all the recipients and then scan their INBOX for the phishing email and remove it before they read it.
I usually use doveadm for this.
why not simply use clamav-milter with sanesecurity sigs ( works like charme here ) so the stuff dont pass ever in mailboxes, if you dont like reject , then hold for manual human admin interaction
-- Best Regards
MfG Robert Schetterer
Germany/Munich/Bavaria
On 9/22/2011 9:42 AM, Robert Schetterer wrote:
why not simply use clamav-milter with sanesecurity sigs ( works like charme here ) so the stuff dont pass ever in mailboxes, if you dont like reject , then hold for manual human admin interaction
Seems to me this could be done pretty easily with a PCRE/regexp body filter in Postfix, assuming the credentials follow a strict pattern. Apply it to the submission daemon stream and redirect the mail with a filter action to an admin mailbox. I've not written such a thing myself but it seems it would be pretty straightforward.
-- Stan
Am 23.09.2011 15:13, schrieb Stan Hoeppner:
On 9/22/2011 9:42 AM, Robert Schetterer wrote:
why not simply use clamav-milter with sanesecurity sigs ( works like charme here ) so the stuff dont pass ever in mailboxes, if you dont like reject , then hold for manual human admin interaction
Seems to me this could be done pretty easily with a PCRE/regexp body filter in Postfix, assuming the credentials follow a strict pattern. Apply it to the submission daemon stream and redirect the mail with a filter action to an admin mailbox. I've not written such a thing myself but it seems it would be pretty straightforward.
why that difficult clamav-milter is able to hold mail, simply configure some monitor script alarming admin when x number mail are in the hold queue so he may delete or unhold it after inspection, i do monitoring i.e. with bb-clone xymon anyway monitoring postfix queues is always nice to have
from clamav-milter.conf
ACTIONS The following group of options controls the delievery process under different circumstances. The following actions are available: - Accept: The message is accepted for delievery - Reject: Immediately refuse delievery (a 5xx error is returned to the peer) - Defer: Return a temporary failure message (4xx) to the peer - Blackhole (not available for OnFail): Like Accept but the message is sent to oblivion - Quarantine (not available for OnFail): Like Accept but message is quarantined instead of being delivered. NOTE: In Sendmail the quarantine queue can be examined via mailq -qQ. For Postfix this causes the message to be placed on hold.
-- Best Regards
MfG Robert Schetterer
Germany/Munich/Bavaria
- Rick Baartman baartman@lin12.triumf.ca:
From my secure log:
Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48 Sep 19 01:16:44 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user aaron Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48 Sep 19 01:16:45 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user abby
etc. Literally, 30,000 user names attempted.
And? Any success?
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | http://www.charite.de
Fail2Ban is an excellent tool to deal with this sort of thing.
On Mon, 19 Sep 2011 10:05:47 -0700, Rick Baartman wrote
From my secure log:
Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48 Sep 19 01:16:44 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user aaron Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48 Sep 19 01:16:45 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user abby
etc. Literally, 30,000 user names attempted.
rick baartman
TRIUMF 4004 Wesbrook Mall Vancouver, BC V6T2A3
I've stopped trying to catch up, I'm just trying to limit the rate at which I'm falling behind
John Alexander
Am 19.09.2011 19:05, schrieb Rick Baartman:
From my secure log:
Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48 Sep 19 01:16:44 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user aaron Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48 Sep 19 01:16:45 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user abby
etc. Literally, 30,000 user names attempted. I can advice you to use Fail2Ban. This will block that Ip-Adresse after a customizable number of failed logins.
In addition you can whois this ip adresse and send an email to his
abuse@provider.
participants (10)
-
Charles Marcus
-
dovecot@lists.grepular.com
-
John Alexander
-
Mike Cardwell
-
Nighoo
-
Ralf Hildebrandt
-
Rick Baartman
-
Rick Romero
-
Robert Schetterer
-
Stan Hoeppner