Obsolete Releases > SME 8.x Contribs
Massive password attacks via qpsmtpd
holck:
As I understand it, fail2ban scans the qpsmtpd log for failures, and searches for lines like this
--- Code: ---@40000000531680d015cb71e4 3903 Authentication failed for webmail^@^@^@^@^@^@^@^@^@^@^@^@^@ -
--- End code ---
But, unfortunately, the line doesn't show any IP adress, so fail2ban doesn't know which IP address to ban.
To blocks attacks like this, qpsmtpd must be changed in order to log the IP address in question. This is the usual behavior for qpsmtpd, I don't know why the addresses aren't logged in these attacks.
Jesper, Denmark
jester:
--- Quote from: holck on March 05, 2014, 07:45:52 AM ---But, unfortunately, the line doesn't show any IP adress, so fail2ban doesn't know which IP address to ban.
--- End quote ---
Yup, that is what the logterse plugin should do, put it into one line. But somehow this type of attack manages to slip past it. The next version of fail2ban (0.9) should allow for multi-line log checking... but i don't think it will be available for SME8, maybe SME9 when it is finished.
I would also expect some sort of max authentication retry check by qpsmtpd (or the plugin).
holck:
I have now discovered that qpsmtpd seems to have a problem with usernames with embedded x00 characters. Using a terminal, I try to login, first as user "testuser" (base64 encoded):
--- Code: ---jes@holck-desktop:/tmp$ telnet ibsgaarden.dk 25
Trying 192.168.10.1...
Connected to ibsgaarden.dk.
Escape character is '^]'.
220 katrine.ibsgaarden.dk ESMTP
ehlo jesper.ibsgaarden.dk
250-ibsgaarden.dk Hi pc-00089.ibsgaarden.dk [192.168.10.89]
250-PIPELINING
250-8BITMIME
250-SIZE 50000000
250-STARTTLS
250 AUTH PLAIN LOGIN
auth login
334 VXNlcm5hbWU6
dGVzdHVzZXI=
334 UGFzc3dvcmQ6
cGFzc3dvcmQ=
535 Authentication failed for testuser - authcvm/login
QUIT
--- End code ---
And the qpsmtpd log file shows
--- Code: ---2014-08-12 15:53:55.791253500 6530 logging::logterse plugin (deny): ` 192.168.10.89 pc-00089.ibsgaarden.dk jesper.ibsgaarden.dk auth::auth_cvm_unix_local 901 authcvm/login msg denied before queued
2014-08-12 15:53:55.791489500 6530 Authentication failed for testuser - authcvm/login
--- End code ---
But then I try the same with user "testuser\x00\x00\x00\x00\x00\x00", i.e. the letters "testuser", followed by six 00-bytes:
--- Code: ---jes@holck-desktop:/tmp$ telnet ibsgaarden.dk 25
Trying 192.168.10.1...
Connected to ibsgaarden.dk.
Escape character is '^]'.
220 katrine.ibsgaarden.dk ESMTP
ehlo jesper.ibsgaarden.dk
250-ibsgaarden.dk Hi pc-00089.ibsgaarden.dk [192.168.10.89]
250-PIPELINING
250-8BITMIME
250-SIZE 50000000
250-STARTTLS
250 AUTH PLAIN LOGIN
auth login
334 VXNlcm5hbWU6
dGVzdHVzZXIAAAAAAAA=
334 UGFzc3dvcmQ6
cGFzc3dvcmQ=
535 Authentication failed for testuser -
--- End code ---
The login fails, as it should, but this time the qpsmtpd log file only shows
--- Code: ---2014-08-12 15:55:03.957949500 6756 Authentication failed for testuser -
--- End code ---
Notice the missing line from the logterse plugin. So no IP-address is logged, and fail2ban can't do anything.
I guess this should be reported to the qpsmtpd developers?
jester:
--- Quote from: holck on August 12, 2014, 04:08:23 PM ---I guess this should be reported to the qpsmtpd developers?
--- End quote ---
Nice find! Yes, that would be the best thing to do.
CharlieBrady:
--- Quote from: holck on August 12, 2014, 04:08:23 PM ---I guess this should be reported to the qpsmtpd developers?
--- End quote ---
Yes, but also report it to the contribs.org bug tracker.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version