Topic: dovecot remote login ip address

[robf355]

Hi
I'm getting around 3000 failed imap login attempts everyday, such as these
       clone: 1 Time(s)
       clotilde: 1 Time(s)
       cloudfront: 1 Time(s)
       cloudmail: 1 Time(s)
       clp: 1 Time(s)
       cmd: 1 Time(s)

The problem is I can't see the ip address. I've changed the dovecot log level to auth_debug_passwords=yes, by adding a custom template value but dovecot just displays the rip as 127.0.0.1

May  9 10:07:46 hpserver dovecot: imap-login: Disconnected (auth failed, 1 attempts in 4 secs): user=<oracle>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<1h5mwAEYFIp/AAAB>

I've searched the internet but couldn't find a solution. Can anyone advise
Regards
Rob

[mmccarn]

IMAP or SMTP access from 127.0.0.1 should be coming from some other service running on the server itself. 

For SMTP this might be a web comment form that is using the SME server for SMTP relay.

For IMAP this might be a webmail app like horde, roundcube, or rainloop. Or it could be a helpdesk or process automation app that is monitoring an IMAP mailbox.

[Jean-Philippe Pialasse]

IMAP on 127.0.0.1 is the auth service for both horde webmail and qpsmtpd.

so any hit on localhost should be filtered at one of these.

fail2ban is part of the answer. 

also check if you would not benefit from disallowing auth on port 25 as a lot of bruteforce occurs on this.

[robf355]

Thanks, for the suggestions, I only have horde installed, but there's nothing in the horde log directories, if i change my password and try to login it's recorded there as a failure.
I've disabled webmail access in the server manager and disabled and stopped the httpd service, and the messages are still appearing.
The httpd access and error folders don't show anything either.
Finally I unplugged the server, login attempts are still happening. The install was new sme10 install, migrated from another server,
I would attach outputs of
/sbin/e-smith/audittools/templates
/sbin/e-smith/audittools/newrpms
But I must be missing something because I can't see where you add attachments!

Any help would be appreciated

[Jean-Philippe Pialasse]

server only ? gateway?

if gateway both etehrner cable unplugged?

you did not told about smtp setting for auth

[robf355]

Hi
I am using sme in Server only mode.
I was in error about unplugging the cable, I have just rechecked and the messages stop.
I used tcpdump on both the sme box and the firewall, and all the login attempts come from Amazon AWS ip addresses, I suppose they could just be proxies of course.
You mention the smtp auth setting, do you mean the SMTP authentication in the server manager, if so I have it set to Allow SSMPT(secure)
You mention fail2ban, the contrib description mentions it uses the logs, would this have any effect if the dovecot log is saying the source is localhost?

[Jean-Philippe Pialasse]

if it says it is localhost then the issue is not imap auth but qpsmtpd / sqpsmtpd auth (as webmail is disabled and you do not mentionned having installed roundcube or another webmail) 
i invite you to check both daemon logs.

fail2ban does not ban localhost, but it will ban any remote ip on any monitored daemon. 

[ReetP]

Hi
I'm getting around 3000 failed imap login attempts everyday, such as these

If you read/searched here you'd have seen several posts on the subject.

It relates originally to a segfault bug with cvm-unix which we used to use for authentication.

The package is no longer maintained so a few months back we switched to using dovecot/imap authentication.

You are just seeing (hacker) login failures in dovecot logs, and not other mail logs as before.

Make sure you only use SSMTP - port 465  with authentication - for sending mail.

Fail2ban will deal with hackers. Or xt_geoip to block them.entirely.

[robf355]

Thanks for the advice, I'll try both the packages mentioned

[robf355]

Fail2ban installed, attempts dropped by 2/3rds, thanks for the help

[ReetP]

Fail2ban installed, attempts dropped by 2/3rds, thanks for the help

Excellent news.

xt_geoip is very effective too

You can see the worst countries and just block them entirely.

[Jean-Philippe Pialasse]

what says?

 config getprop qpsmtpd Authentication

 

[robf355]

[root@hpserver ~]# config getprop qpsmtpd Authentication
disabled

but on the server manager SMTP authentication is set to "Allow SSMTP (secure)"
Is there a different setting?

[Jean-Philippe Pialasse]

no, I was just confirming.

I am just suprised you get hamered on port 465 as this is the only other using the IMAP as auth.

Fail2ban reduce the load, but last step is as suggested by John: xt_geoip, you can limit IMAP/SMTPS port to only your country, this would reduce also the load.
If one of your company needs to travel abroad he needs to tell you so you open it for his destination

[robf355]

I've installed xt_geoip, so we'll see how it goes