Koozali.org: home of the SME Server

dovecot remote login ip address

Offline robf355

  • *
  • 81
  • +0/-0
dovecot remote login ip address
« on: May 09, 2024, 11:22:55 AM »
Hi
I'm getting around 3000 failed imap login attempts everyday, such as these
       clone: 1 Time(s)
       clotilde: 1 Time(s)
       cloudfront: 1 Time(s)
       cloudmail: 1 Time(s)
       clp: 1 Time(s)
       cmd: 1 Time(s)

The problem is I can't see the ip address. I've changed the dovecot log level to auth_debug_passwords=yes, by adding a custom template value but dovecot just displays the rip as 127.0.0.1

May  9 10:07:46 hpserver dovecot: imap-login: Disconnected (auth failed, 1 attempts in 4 secs): user=<oracle>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<1h5mwAEYFIp/AAAB>

I've searched the internet but couldn't find a solution. Can anyone advise
Regards
Rob

Offline mmccarn

  • *
  • 2,638
  • +10/-0
Re: dovecot remote login ip address
« Reply #1 on: May 09, 2024, 11:57:13 AM »
IMAP or SMTP access from 127.0.0.1 should be coming from some other service running on the server itself. 

For SMTP this might be a web comment form that is using the SME server for SMTP relay.

For IMAP this might be a webmail app like horde, roundcube, or rainloop. Or it could be a helpdesk or process automation app that is monitoring an IMAP mailbox.

Offline Jean-Philippe Pialasse

  • *
  • 2,814
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: dovecot remote login ip address
« Reply #2 on: May 09, 2024, 02:07:41 PM »
IMAP on 127.0.0.1 is the auth service for both horde webmail and qpsmtpd.

so any hit on localhost should be filtered at one of these.

fail2ban is part of the answer. 

also check if you would not benefit from disallowing auth on port 25 as a lot of bruteforce occurs on this.


Offline robf355

  • *
  • 81
  • +0/-0
Re: dovecot remote login ip address
« Reply #3 on: May 09, 2024, 02:53:10 PM »
Thanks, for the suggestions, I only have horde installed, but there's nothing in the horde log directories, if i change my password and try to login it's recorded there as a failure.
I've disabled webmail access in the server manager and disabled and stopped the httpd service, and the messages are still appearing.
The httpd access and error folders don't show anything either.
Finally I unplugged the server, login attempts are still happening. The install was new sme10 install, migrated from another server,
I would attach outputs of
/sbin/e-smith/audittools/templates
/sbin/e-smith/audittools/newrpms
But I must be missing something because I can't see where you add attachments!

Any help would be appreciated

Offline Jean-Philippe Pialasse

  • *
  • 2,814
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: dovecot remote login ip address
« Reply #4 on: May 10, 2024, 01:42:51 PM »
server only ? gateway?

if gateway both etehrner cable unplugged?

you did not told about smtp setting for auth

Offline robf355

  • *
  • 81
  • +0/-0
Re: dovecot remote login ip address
« Reply #5 on: May 10, 2024, 03:31:49 PM »
Hi
I am using sme in Server only mode.
I was in error about unplugging the cable, I have just rechecked and the messages stop.
I used tcpdump on both the sme box and the firewall, and all the login attempts come from Amazon AWS ip addresses, I suppose they could just be proxies of course.
You mention the smtp auth setting, do you mean the SMTP authentication in the server manager, if so I have it set to Allow SSMPT(secure)
You mention fail2ban, the contrib description mentions it uses the logs, would this have any effect if the dovecot log is saying the source is localhost?

Offline Jean-Philippe Pialasse

  • *
  • 2,814
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: dovecot remote login ip address
« Reply #6 on: May 11, 2024, 09:25:38 PM »
if it says it is localhost then the issue is not imap auth but qpsmtpd / sqpsmtpd auth (as webmail is disabled and you do not mentionned having installed roundcube or another webmail) 
i invite you to check both daemon logs.

fail2ban does not ban localhost, but it will ban any remote ip on any monitored daemon. 


Offline ReetP

  • *
  • 3,785
  • +5/-0
Re: dovecot remote login ip address
« Reply #7 on: May 12, 2024, 12:29:07 AM »
Hi
I'm getting around 3000 failed imap login attempts everyday, such as these

If you read/searched here you'd have seen several posts on the subject.

It relates originally to a segfault bug with cvm-unix which we used to use for authentication.

The package is no longer maintained so a few months back we switched to using dovecot/imap authentication.

You are just seeing (hacker) login failures in dovecot logs, and not other mail logs as before.

Make sure you only use SSMTP - port 465  with authentication - for sending mail.

Fail2ban will deal with hackers. Or xt_geoip to block them.entirely.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline robf355

  • *
  • 81
  • +0/-0
Re: dovecot remote login ip address
« Reply #8 on: May 13, 2024, 09:59:37 AM »
Thanks for the advice, I'll try both the packages mentioned

Offline robf355

  • *
  • 81
  • +0/-0
Re: dovecot remote login ip address
« Reply #9 on: May 15, 2024, 09:30:00 AM »
Fail2ban installed, attempts dropped by 2/3rds, thanks for the help 8-)

Offline ReetP

  • *
  • 3,785
  • +5/-0
Re: dovecot remote login ip address
« Reply #10 on: May 15, 2024, 05:07:12 PM »
Fail2ban installed, attempts dropped by 2/3rds, thanks for the help 8-)

Excellent news.

xt_geoip is very effective too ;-)

You can see the worst countries and just block them entirely.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,814
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: dovecot remote login ip address
« Reply #11 on: May 15, 2024, 08:26:26 PM »
what says?

 config getprop qpsmtpd Authentication

 

Offline robf355

  • *
  • 81
  • +0/-0
Re: dovecot remote login ip address
« Reply #12 on: May 15, 2024, 08:59:49 PM »
[root@hpserver ~]# config getprop qpsmtpd Authentication
disabled

but on the server manager SMTP authentication is set to "Allow SSMTP (secure)"
Is there a different setting?

Offline Jean-Philippe Pialasse

  • *
  • 2,814
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: dovecot remote login ip address
« Reply #13 on: May 15, 2024, 09:34:24 PM »
no, I was just confirming.

I am just suprised you get hamered on port 465 as this is the only other using the IMAP as auth.

Fail2ban reduce the load, but last step is as suggested by John: xt_geoip, you can limit IMAP/SMTPS port to only your country, this would reduce also the load.
If one of your company needs to travel abroad he needs to tell you so you open it for his destination

Offline robf355

  • *
  • 81
  • +0/-0
Re: dovecot remote login ip address
« Reply #14 on: May 15, 2024, 09:44:02 PM »
I've installed xt_geoip, so we'll see how it goes

Offline Jean-Philippe Pialasse

  • *
  • 2,814
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: dovecot remote login ip address
« Reply #15 on: May 16, 2024, 02:34:49 AM »
I've installed xt_geoip, so we'll see how it goes

like installed or like installed and configured following wiki closely.  be carefull not to lock any legitimate traffic like on port 80 443 and 25.

Offline robf355

  • *
  • 81
  • +0/-0
Re: dovecot remote login ip address
« Reply #16 on: May 16, 2024, 11:22:30 AM »
like installed or like installed and configured following wiki closely.  be carefull not to lock any legitimate traffic like on port 80 443 and 25.
installed and configured following wiki closely

Offline robf355

  • *
  • 81
  • +0/-0
Re: dovecot remote login ip address
« Reply #17 on: May 16, 2024, 11:51:46 AM »
It seems that fail2ban isn't running
/varlog/messages

May 16 11:38:27 hpserver fail2ban-server: 2024-05-16 11:38:27,495 fail2ban                [2088]: ERROR   Failed during configuration: Have not found any log file for smanager jail
May 16 11:38:27 hpserver fail2ban-server: 2024-05-16 11:38:27,503 fail2ban                [2088]: ERROR   Async configuration of server failed

/var/log/fail2ban/daemon.log exists - zero length, owned by root:root, permissions 0600

fail2ban-client start

2024-05-16 11:44:22,331 fail2ban                [2140]: ERROR   Failed during configuration: Have not found any log file for smanager jail

I found an issue on github:
https://github.com/fail2ban/fail2ban/issues/2756
which mentions changing backend to systemd from auto, this fixed the starting issue

I created a custom template in
/etc/e-smith/templates-custom/etc/fail2ban/jail.conf/99Backend
with backend=systemd
then
expand-template /etc/fail2ban/jail.conf
signal-event fail2ban-conf

Fail2ban is now running
fail2ban-client status:
[root@hpserver jail.conf]# fail2ban-client status
2024-05-16 12:21:43,881 fail2ban.configreader   [3146]: WARNING 'socket' not defined in 'Definition'. Using default one: '/var/run/fail2ban/fail2ban.sock'
2024-05-16 12:21:43,881 fail2ban.configreader   [3146]: WARNING 'pidfile' not defined in 'Definition'. Using default one: '/var/run/fail2ban/fail2ban.pid'
2024-05-16 12:21:43,882 fail2ban.configreader   [3146]: WARNING 'loglevel' not defined in 'Definition'. Using default one: 'INFO'
2024-05-16 12:21:43,882 fail2ban.configreader   [3146]: WARNING 'logtarget' not defined in 'Definition'. Using default one: '/var/log/fail2ban.log'
2024-05-16 12:21:43,882 fail2ban.configreader   [3146]: WARNING 'syslogsocket' not defined in 'Definition'. Using default one: 'auto'
Status
|- Number of jail:      14
`- Jail list:   http-auth, http-badbots, http-fakegooglebot, http-noscript, http-overflows, http-scan, http-shellshock, imap, pam-generic, qpsmtpd, recidive, smanager, ssh, ssh-ddos

are the warnings ok to ignore?
« Last Edit: May 16, 2024, 01:24:22 PM by robf355 »

Offline Jean-Philippe Pialasse

  • *
  • 2,814
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: dovecot remote login ip address
« Reply #18 on: May 16, 2024, 01:07:24 PM »
iptables/denylog.log


manager will fisplay a resumé after one night