Topic: Massive password attacks via qpsmtpd

[holck]

Recently I have experienced massive password attacks via qpsmtpd. The qpsmtpd log file shows thousands of lines like these:

Code: [Select]

2013-12-11 11:51:55.684264500 13420 Authentication failed for payments^@^@^@^@^@^@^@^@^@^@^@^@ -
2013-12-11 11:51:56.057305500 13420 Authentication failed for payments^@^@^@^@^@^@^@^@^@^@^@^@ -
2013-12-11 11:51:56.430513500 13420 Authentication failed for payments^@^@^@^@^@^@^@^@^@^@^@^@ -
The messages go on and on; in this particular attempt of misuse it was 2700+ failed authentications within 20 minutes. Attempts are tried for supposed standard user names: payments, test, info, user ...

Is it possible limit these attacks, e.g. block the attacker after 5 or 10 failed attempts? I have installed and use fail2ban, but as the logfile doesn't show the attacker's IP address, fail2ban doesn't seem to help here.

Jesper, Denmark

[mmccarn]

When I intentionally generate a failed qpsmtpd connection I get a logterse entry showing the remote IP:

Code: [Select]

logging::logterse plugin (deny): ` 192.168.2.195       pc-00195.localnet.local  mywkstn.org                     auth::auth_cvm_unix_local       901     authcvm/login   msg denied before queued
Can this entry be used w/ fail2ban?

[mmccarn]

Would check_earlytalker help at all?
http://wiki.contribs.org/Qpsmtpd_check_earlytalker

[Jean-Philippe Pialasse]

http://wiki.contribs.org/Fail2ban

plus what have been proposed from the two answers.


by default fail2ban should ban this kind of attack

[jester]

Sorry to bring up an old thread, but i've been bombarded in exactly the same manner except this time for SQPSMTPD, and fail2ban does not block this kind of attack. In a matter of a few hours almost 40Mb of logs (/var/log/sqpsmtpd/) have been filled with this garbage. For the moment i've manually blocked the IP, but i'm betting they'll be back from a different address.

Code: [Select]

@40000000531680ce378ad964 3903 Accepted connection 0/10 from 46.149.111.145 / 46.149.111.145.atum.vdsinside.com
@40000000531680ce378bb80c 3903 Connection from 46.149.111.145.atum.vdsinside.com [46.149.111.145]
@40000000531680ce378bbfdc 3903 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
@40000000531680ce378bc3c4 3903 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
@40000000531680ce378bc7ac 3903 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
@40000000531680cf015a4a64 3903 tls plugin (connect): Connected via SMTPS
@40000000531680d00159ae24 3903 check_earlytalker plugin (connect): remote host said nothing spontaneous, proceeding
@40000000531680d002a19f44 3903 220 www.myserver.org ESMTP
@40000000531680d007535bcc 3903 dispatching EHLO 127.0.0.1
@40000000531680d007cce12c 3903 250-myserver.org Hi 46.149.111.145.atum.vdsinside.com [46.149.111.145]
@40000000531680d007cce8fc 3903 250-PIPELINING
@40000000531680d007ccece4 3903 250-8BITMIME
@40000000531680d007ccf0cc 3903 250-SIZE 15000000
@40000000531680d007ccf4b4 3903 250 AUTH PLAIN LOGIN
@40000000531680d00c00e234 3903 dispatching AUTH LOGIN
@40000000531680d00c30f2e4 3903 334 VXNlcm5hbWU6
@40000000531680d010806744 3903 334 UGFzc3dvcmQ6
@40000000531680d0149bcf6c 3903 auth::auth_cvm_unix_local plugin (auth-login): authcvm/login authentication attempt for: webmail^@^@^@^@^@^@^@^@^@^@^@^@^@
@40000000531680d015cb662c 3903 535 Authentication failed for webmail^@^@^@^@^@^@^@^@^@^@^@^@^@ -
@40000000531680d015cb71e4 3903 Authentication failed for webmail^@^@^@^@^@^@^@^@^@^@^@^@^@ -
@40000000531680d019e24dfc 3903 dispatching AUTH LOGIN
@40000000531680d019e259b4 3903 334 VXNlcm5hbWU6
@40000000531680d01df05844 3903 334 UGFzc3dvcmQ6
@40000000531680d02208844c 3903 auth::auth_cvm_unix_local plugin (auth-login): authcvm/login authentication attempt for: webmail^@^@^@^@^@^@^@^@^@^@^@^@^@
@40000000531680d022089004 3903 535 Authentication failed for webmail^@^@^@^@^@^@^@^@^@^@^@^@^@ -
@40000000531680d0220893ec 3903 Authentication failed for webmail^@^@^@^@^@^@^@^@^@^@^@^@^@ -
@40000000531680d0262115e4 3903 dispatching AUTH LOGIN
@40000000531680d026211db4 3903 334 VXNlcm5hbWU6
@40000000531680d02a2f56dc 3903 334 UGFzc3dvcmQ6
@40000000531680d02e5ec01c 3903 auth::auth_cvm_unix_local plugin (auth-login): authcvm/login authentication attempt for: webmail^@^@^@^@^@^@^@^@^@^@^@^@^@
@40000000531680d02e5ecbd4 3903 535 Authentication failed for webmail^@^@^@^@^@^@^@^@^@^@^@^@^@ -
@40000000531680d02e5ed3a4 3903 Authentication failed for webmail^@^@^@^@^@^@^@^@^@^@^@^@^@ -
@40000000531680d032856b14 3903 dispatching AUTH LOGIN
@40000000531680d0328576cc 3903 334 VXNlcm5hbWU6
@40000000531680d036a013d4 3903 334 UGFzc3dvcmQ6


I don't know diddly squat about regular expressions... so maybe a regexp guru can tell if it would be possible to come up with a regexp for this attack so we can block it in the future?!

Regards.

[holck]

As I understand it, fail2ban scans the qpsmtpd log for failures, and searches for lines like this

Code: [Select]

@40000000531680d015cb71e4 3903 Authentication failed for webmail^@^@^@^@^@^@^@^@^@^@^@^@^@ -But, unfortunately, the line doesn't show any IP adress, so fail2ban doesn't know which IP address to ban.

To blocks attacks like this, qpsmtpd must be changed in order to log the IP address in question. This is the usual behavior for qpsmtpd, I don't know why the addresses aren't logged in these attacks.

Jesper, Denmark

[jester]

But, unfortunately, the line doesn't show any IP adress, so fail2ban doesn't know which IP address to ban.

Yup, that is what the logterse plugin should do, put it into one line. But somehow this type of attack manages to slip past it. The next version of fail2ban (0.9) should allow for multi-line log checking... but i don't think it will be available for SME8, maybe SME9 when it is finished.

I would also expect some sort of max authentication retry check by qpsmtpd (or the plugin).

[holck]

I have now discovered that qpsmtpd seems to have a problem with usernames with embedded x00 characters. Using a terminal, I try to login, first as user "testuser" (base64 encoded):

Code: [Select]

jes@holck-desktop:/tmp$ telnet ibsgaarden.dk 25
Trying 192.168.10.1...
Connected to ibsgaarden.dk.
Escape character is '^]'.
220 katrine.ibsgaarden.dk ESMTP
ehlo jesper.ibsgaarden.dk
250-ibsgaarden.dk Hi pc-00089.ibsgaarden.dk [192.168.10.89]
250-PIPELINING
250-8BITMIME
250-SIZE 50000000
250-STARTTLS
250 AUTH PLAIN LOGIN
auth login
334 VXNlcm5hbWU6
dGVzdHVzZXI=
334 UGFzc3dvcmQ6
cGFzc3dvcmQ=
535 Authentication failed for testuser - authcvm/login
QUIT

And the qpsmtpd log file shows

Code: [Select]

2014-08-12 15:53:55.791253500 6530 logging::logterse plugin (deny): ` 192.168.10.89 pc-00089.ibsgaarden.dk jesper.ibsgaarden.dk auth::auth_cvm_unix_local 901 authcvm/login msg denied before queued
2014-08-12 15:53:55.791489500 6530 Authentication failed for testuser - authcvm/login
But then I try the same with user "testuser\x00\x00\x00\x00\x00\x00", i.e. the letters "testuser", followed by six 00-bytes:

Code: [Select]

jes@holck-desktop:/tmp$ telnet ibsgaarden.dk 25
Trying 192.168.10.1...
Connected to ibsgaarden.dk.
Escape character is '^]'.
220 katrine.ibsgaarden.dk ESMTP
ehlo jesper.ibsgaarden.dk
250-ibsgaarden.dk Hi pc-00089.ibsgaarden.dk [192.168.10.89]
250-PIPELINING
250-8BITMIME
250-SIZE 50000000
250-STARTTLS
250 AUTH PLAIN LOGIN
auth login
334 VXNlcm5hbWU6
dGVzdHVzZXIAAAAAAAA=
334 UGFzc3dvcmQ6
cGFzc3dvcmQ=
535 Authentication failed for testuser -

The login fails, as it should, but this time the qpsmtpd log file only shows

Code: [Select]

2014-08-12 15:55:03.957949500 6756 Authentication failed for testuser -

Notice the missing line from the logterse plugin. So no IP-address is logged, and fail2ban can't do anything.

I guess this should be reported to the qpsmtpd developers?

[jester]

I guess this should be reported to the qpsmtpd developers?

Nice find! Yes, that would be the best thing to do.

[CharlieBrady]

I guess this should be reported to the qpsmtpd developers?

Yes, but also report it to the contribs.org bug tracker.

[holck]

Done:

http://bugs.contribs.org/show_bug.cgi?id=8525

[CharlieBrady]

The login fails, as it should, but this time the qpsmtpd log file only shows

Code: [Select]

2014-08-12 15:55:03.957949500 6756 Authentication failed for testuser -

Notice the missing line from the logterse plugin. So no IP-address is logged, and fail2ban can't do anything.

You don't see the line from the logterse plugin because the conversation is still open - there has just been one failed authentication. If you add 'QUIT', as in your first connection, then you will see the logterse log.