Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Brute force attempts into my mailserver?

  1. #1
    Join Date
    Apr 2009
    Location
    Saitama, Japan
    Beans
    132
    Distro
    Ubuntu 10.04 Lucid Lynx

    Brute force attempts into my mailserver?

    Hi. I just noticed these live logs when I was tailing my mail.log. There were massive of this log entries with the same ip address.
    Feb 26 11:49:25 revomix postfix/smtpd[3074]: lost connection after AUTH from unknown[ip.address.]
    Feb 26 11:49:25 revomix postfix/smtpd[3074]: disconnect from unknown[ip.address]
    Feb 26 11:49:26 revomix postfix/smtpd[3074]: connect from unknown[ip.address]
    Feb 26 11:49:26 revomix postfix/smtpd[3074]: lost connection after AUTH from unknown[ip.address]
    Feb 26 11:49:26 revomix postfix/smtpd[3074]: disconnect from unknown[ip.address]
    Feb 26 11:49:27 revomix postfix/smtpd[3074]: connect from unknown[ip.address]
    Feb 26 11:49:28 revomix postfix/smtpd[3074]: lost connection after AUTH from unknown[ip.address]
    Feb 26 11:49:28 revomix postfix/smtpd[3074]: disconnect from unknown[ip.address]
    Feb 26 11:49:28 revomix postfix/smtpd[3074]: connect from unknown[ip.address]
    Feb 26 11:49:25 revomix postfix/smtpd[3074]: lost connection after AUTH from unknown[ip.address.]
    Feb 26 11:49:25 revomix postfix/smtpd[3074]: disconnect from unknown[ip.address]
    Feb 26 11:49:26 revomix postfix/smtpd[3074]: connect from unknown[ip.address]
    Feb 26 11:49:26 revomix postfix/smtpd[3074]: lost connection after AUTH from unknown[ip.address]
    Feb 26 11:49:26 revomix postfix/smtpd[3074]: disconnect from unknown[ip.address]
    Feb 26 11:49:27 revomix postfix/smtpd[3074]: connect from unknown[ip.address]
    Feb 26 11:49:28 revomix postfix/smtpd[3074]: lost connection after AUTH from unknown[ip.address]
    Feb 26 11:49:28 revomix postfix/smtpd[3074]: disconnect from unknown[ip.address]
    Feb 26 11:49:28 revomix postfix/smtpd[3074]: connect from unknown[ip.address]

  2. #2
    Join Date
    Dec 2011
    Location
    Florida
    Beans
    Hidden!
    Distro
    Xubuntu 13.04 Raring Ringtail

    Re: Brute force attempts into my mailserver?

    Looks like it. You could block the IP, but I wouldn't expect that to help for very long. Are they getting authenticated or is it failing? Are they hitting a particular account or does it look more like a script testing different logins?

    Sorry, I'm used to more detailed logs.

    If they are not getting authenticated it's really not atypical. You can setup measures like a limited number of attempts and such. That's what I did after an account on one of my servers was compromised. 10 failed attempts and wait 90 minutes! Worked like a charm (along with stricter password requirements).

  3. #3
    Join Date
    Oct 2011
    Location
    /root
    Beans
    956
    Distro
    Ubuntu

    Re: Brute force attempts into my mailserver?

    You should have posted the IP and I could have told you where it was coming from.

    Anyway, I also noticed my Apache server was being bruteforced, there are bots on the internet than scan all possible IPs and Ports and there is nothing we can do...Most infected PCs seem to coming from China or Southeast Asia in my case.

    Google "fail2ban", install it, and configure it to work with your specific mail server applications (it supports many many different applications).


  4. #4
    Join Date
    Apr 2009
    Location
    Saitama, Japan
    Beans
    132
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Brute force attempts into my mailserver?

    This is pretty much all there is to the log. Just repetition of the same ip.

    I didn't want to post the ip just in case it wasn't hack. I can't say for sure if they are using an exact email address. I don't think so or it show up on log. It is probably coming from China. As most of my email accounts were attacked from China.

    I use flurdy's guide for my mail server. How do I setup security measures? What files do I need to edit?

    I saw a thread about fail2ban. I will also look into that as well.

  5. #5
    Join Date
    Sep 2007
    Location
    In here watching you!
    Beans
    Hidden!

    Re: Brute force attempts into my mailserver?

    If you expose a service like mail, ssh, rdp, ftp, etc., this happens. There are all sorts of people/BOTS looking for open services. As long as they aren't successful at getting into your server then don't get to paranoid about it. At first it bothered me; however, I have seen so many failed attempts over the years that I find it funny these days.

    I am not complacent assuming I am secure. I still check the logs occasionally.
    Last edited by Old_Grey_Wolf; February 26th, 2012 at 05:13 AM.
    Use whatever OS or desktop works for you. Dual boot or use VMs if you want. Backup your computer regularly, and definitely before upgrading, partitioning, or installing an OS.

    No support requests by PM please.

  6. #6
    Join Date
    Dec 2011
    Location
    Florida
    Beans
    Hidden!
    Distro
    Xubuntu 13.04 Raring Ringtail

    Re: Brute force attempts into my mailserver?

    You can start here http://flurdy.com/docs/postfix/#extend

    Like Gray Wolf said though, if they aren't getting in it's really nothing to lose sleep over. I'm not familiar with that mail system, but the attempts per timeframe thing worked great for me even after a compromise (and therefore greatly increased attempts).

  7. #7
    Join Date
    May 2011
    Beans
    121

    Re: Brute force attempts into my mailserver?

    Make Your Password Isnt Weak.
    Very Very Bad When Bruteforcing Comes Along.

    Same Goes For Router,Accounts,MailServers.

    Looks Like Somebody Tried To Get Into Your MailServer.

    I Dont Know Why They Would BruteForce.

    Getting Into Mail Accounts Is Easy.

    Anyway Just Make Sure The Password Isnt Weak.
    Just To Be Sure He Or She BruteForces Again.
    Linux Freedom

  8. #8
    Join Date
    Apr 2009
    Location
    Saitama, Japan
    Beans
    132
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Brute force attempts into my mailserver?

    I am looking at the auth.log as well. I don't see any activities within those timeframe of attacks. They weren't successful if there were no entries?

  9. #9
    Join Date
    Feb 2011
    Location
    Maryland
    Beans
    2,259
    Distro
    Ubuntu

    Re: Brute force attempts into my mailserver?

    if you are worried you could just install Fail2Ban

  10. #10
    Join Date
    Dec 2011
    Location
    Florida
    Beans
    Hidden!
    Distro
    Xubuntu 13.04 Raring Ringtail

    Re: Brute force attempts into my mailserver?

    Quote Originally Posted by duceduc View Post
    I am looking at the auth.log as well. I don't see any activities within those timeframe of attacks. They weren't successful if there were no entries?
    Correct. If nothing was authed you have most likely not been compromised in any way. Failed attempts are common. Probably just a bot scanning your server looking for an easy target to send spam from.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •