Obsolete Releases > SME 8.x Contribs

Massive password attacks via qpsmtpd

(1/3) > >>

holck:
Recently I have experienced massive password attacks via qpsmtpd. The qpsmtpd log file shows thousands of lines like these:

--- Code: ---2013-12-11 11:51:55.684264500 13420 Authentication failed for payments^@^@^@^@^@^@^@^@^@^@^@^@ -
2013-12-11 11:51:56.057305500 13420 Authentication failed for payments^@^@^@^@^@^@^@^@^@^@^@^@ -
2013-12-11 11:51:56.430513500 13420 Authentication failed for payments^@^@^@^@^@^@^@^@^@^@^@^@ -

--- End code ---
The messages go on and on; in this particular attempt of misuse it was 2700+ failed authentications within 20 minutes. Attempts are tried for supposed standard user names: payments, test, info, user ...

Is it possible limit these attacks, e.g. block the attacker after 5 or 10 failed attempts? I have installed and use fail2ban, but as the logfile doesn't show the attacker's IP address, fail2ban doesn't seem to help here.

Jesper, Denmark

mmccarn:

When I intentionally generate a failed qpsmtpd connection I get a logterse entry showing the remote IP:

--- Code: ---logging::logterse plugin (deny): ` 192.168.2.195       pc-00195.localnet.local  mywkstn.org                     auth::auth_cvm_unix_local       901     authcvm/login   msg denied before queued
--- End code ---

Can this entry be used w/ fail2ban?

mmccarn:
Would check_earlytalker help at all?
http://wiki.contribs.org/Qpsmtpd_check_earlytalker

Jean-Philippe Pialasse:
http://wiki.contribs.org/Fail2ban

plus what have been proposed from the two answers.


by default fail2ban should ban this kind of attack

jester:
Sorry to bring up an old thread, but i've been bombarded in exactly the same manner except this time for SQPSMTPD, and fail2ban does not block this kind of attack. In a matter of a few hours almost 40Mb of logs (/var/log/sqpsmtpd/) have been filled with this garbage. For the moment i've manually blocked the IP, but i'm betting they'll be back from a different address.


--- Code: ---@40000000531680ce378ad964 3903 Accepted connection 0/10 from 46.149.111.145 / 46.149.111.145.atum.vdsinside.com
@40000000531680ce378bb80c 3903 Connection from 46.149.111.145.atum.vdsinside.com [46.149.111.145]
@40000000531680ce378bbfdc 3903 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
@40000000531680ce378bc3c4 3903 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
@40000000531680ce378bc7ac 3903 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
@40000000531680cf015a4a64 3903 tls plugin (connect): Connected via SMTPS
@40000000531680d00159ae24 3903 check_earlytalker plugin (connect): remote host said nothing spontaneous, proceeding
@40000000531680d002a19f44 3903 220 www.myserver.org ESMTP
@40000000531680d007535bcc 3903 dispatching EHLO 127.0.0.1
@40000000531680d007cce12c 3903 250-myserver.org Hi 46.149.111.145.atum.vdsinside.com [46.149.111.145]
@40000000531680d007cce8fc 3903 250-PIPELINING
@40000000531680d007ccece4 3903 250-8BITMIME
@40000000531680d007ccf0cc 3903 250-SIZE 15000000
@40000000531680d007ccf4b4 3903 250 AUTH PLAIN LOGIN
@40000000531680d00c00e234 3903 dispatching AUTH LOGIN
@40000000531680d00c30f2e4 3903 334 VXNlcm5hbWU6
@40000000531680d010806744 3903 334 UGFzc3dvcmQ6
@40000000531680d0149bcf6c 3903 auth::auth_cvm_unix_local plugin (auth-login): authcvm/login authentication attempt for: webmail^@^@^@^@^@^@^@^@^@^@^@^@^@
@40000000531680d015cb662c 3903 535 Authentication failed for webmail^@^@^@^@^@^@^@^@^@^@^@^@^@ -
@40000000531680d015cb71e4 3903 Authentication failed for webmail^@^@^@^@^@^@^@^@^@^@^@^@^@ -
@40000000531680d019e24dfc 3903 dispatching AUTH LOGIN
@40000000531680d019e259b4 3903 334 VXNlcm5hbWU6
@40000000531680d01df05844 3903 334 UGFzc3dvcmQ6
@40000000531680d02208844c 3903 auth::auth_cvm_unix_local plugin (auth-login): authcvm/login authentication attempt for: webmail^@^@^@^@^@^@^@^@^@^@^@^@^@
@40000000531680d022089004 3903 535 Authentication failed for webmail^@^@^@^@^@^@^@^@^@^@^@^@^@ -
@40000000531680d0220893ec 3903 Authentication failed for webmail^@^@^@^@^@^@^@^@^@^@^@^@^@ -
@40000000531680d0262115e4 3903 dispatching AUTH LOGIN
@40000000531680d026211db4 3903 334 VXNlcm5hbWU6
@40000000531680d02a2f56dc 3903 334 UGFzc3dvcmQ6
@40000000531680d02e5ec01c 3903 auth::auth_cvm_unix_local plugin (auth-login): authcvm/login authentication attempt for: webmail^@^@^@^@^@^@^@^@^@^@^@^@^@
@40000000531680d02e5ecbd4 3903 535 Authentication failed for webmail^@^@^@^@^@^@^@^@^@^@^@^@^@ -
@40000000531680d02e5ed3a4 3903 Authentication failed for webmail^@^@^@^@^@^@^@^@^@^@^@^@^@ -
@40000000531680d032856b14 3903 dispatching AUTH LOGIN
@40000000531680d0328576cc 3903 334 VXNlcm5hbWU6
@40000000531680d036a013d4 3903 334 UGFzc3dvcmQ6

--- End code ---


I don't know diddly squat about regular expressions... so maybe a regexp guru can tell if it would be possible to come up with a regexp for this attack so we can block it in the future?!

Regards.

Navigation

[0] Message Index

[#] Next page

Go to full version