Java Mailing List Archive

http://www.redhatconfig.com/

Home » Red Hat Enterprise Linux 5 »

Re: [rhelv5-list] Dovecot under attack?

John Summerfield

2008-01-30

Replies:

Author LoginPost Reply
Nick Jennings wrote:
> Hello,
>
> I just noticed a huge number pop3-login and imap-login processes
> spawning and checked the logs and seemed to be getting completely
> hammered with failed connection attempts, at the end of this email is a
> small sample of some log output.
>
> Luckily this machine is not in production yet and so I just shutdown
> the dovecot daemon. I was wondering if anyone could suggest any measures
> I can take to stop thing kind of thing happening? Also, what kinds of
> risks does this sort of an attack expose me to? Could it bring my server
> down or could they actually break in?
>
> Thanks for any advice or suggestions, see log sample below.
> -Nick Jennings
>
> ==> audit/audit.log <==
> type=USER_AUTH msg=audit(1201707478.163:3883): user pid=24197 uid=0
> auid=500 msg='PAM: authentication acct="?" :
> exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:207.234.131.201, addr=::ffff:207.234.131.201, terminal=dovecot res=failed)'
> type=USER_AUTH msg=audit(1201707478.178:3884): user pid=24198 uid=0
> auid=500 msg='PAM: authentication acct="?" :
> exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:207.234.131.201, addr=::ffff:207.234.131.201, terminal=dovecot res=failed)'
> type=USER_AUTH msg=audit(1201707478.193:3885): user pid=24199 uid=0
> auid=500 msg='PAM: authentication acct="mail" :
> exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:207.234.131.201, addr=::ffff:207.234.131.201, terminal=dovecot res=failed)'
> type=USER_AUTH msg=audit(1201707478.194:3886): user pid=24200 uid=0
> auid=500 msg='PAM: authentication acct="?" :
> exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:207.234.131.201, addr=::ffff:207.234.131.201, terminal=dovecot res=failed)'
> type=USER_AUTH msg=audit(1201707478.196:3887): user pid=24202 uid=0
> auid=500 msg='PAM: authentication acct="?" :
> exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:207.234.131.201, addr=::ffff:207.234.131.201, terminal=dovecot res=failed)'
> type=USER_AUTH msg=audit(1201707478.197:3888): user pid=24203 uid=0
> auid=500 msg='PAM: authentication acct="?" :
> exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:207.234.131.201, addr=::ffff:207.234.131.201, terminal=dovecot res=failed)'
> type=USER_AUTH msg=audit(1201707478.197:3889): user pid=24201 uid=0
> auid=500 msg='PAM: authentication acct="?" :
> exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:207.234.131.201, addr=::ffff:207.234.131.201, terminal=dovecot res=failed)'
>
>
> ==> secure <==
> Jan 30 09:37:56 srv1 dovecot-auth: pam_unix(dovecot:auth): check pass;
> user unknown
> Jan 30 09:37:56 srv1 dovecot-auth: pam_unix(dovecot:auth):
> authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=
> rhost=::ffff:207.234.131.201
> Jan 30 09:37:56 srv1 dovecot-auth: pam_succeed_if(dovecot:auth): error
> retrieving information about user guest
> Jan 30 09:37:56 srv1 dovecot-auth: pam_unix(dovecot:auth): check pass;
> user unknown
> Jan 30 09:37:56 srv1 dovecot-auth: pam_unix(dovecot:auth):
> authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=
> rhost=::ffff:207.234.131.201
> Jan 30 09:37:56 srv1 dovecot-auth: pam_succeed_if(dovecot:auth): error
> retrieving information about user abuse
> Jan 30 09:37:56 srv1 dovecot-auth: pam_unix(dovecot:auth): check pass;
> user unknown
> Jan 30 09:37:56 srv1 dovecot-auth: pam_unix(dovecot:auth):
> authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=
> rhost=::ffff:207.234.131.201
> Jan 30 09:37:56 srv1 dovecot-auth: pam_succeed_if(dovecot:auth): error
> retrieving information about user webtest
> Jan 30 09:37:56 srv1 dovecot-auth: pam_unix(dovecot:auth): check pass;
> user unknown
> Jan 30 09:37:56 srv1 dovecot-auth: pam_unix(dovecot:auth):
> authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=
> rhost=::ffff:207.234.131.201
> Jan 30 09:37:56 srv1 dovecot-auth: pam_succeed_if(dovecot:auth): error
> retrieving information about user www
> Jan 30 09:37:56 srv1 dovecot-auth: pam_unix(dovecot:auth): check pass;
> user unknown
> Jan 30 09:37:56 srv1 dovecot-auth: pam_unix(dovecot:auth):
> authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=
> rhost=::ffff:207.234.131.201
> Jan 30 09:37:56 srv1 dovecot-auth: pam_succeed_if(dovecot:auth): error
> retrieving information about user www
>
> ==> maillog <==
> Jan 30 09:37:55 srv1 dovecot: pop3-login: Aborted login: user=<office>,
> method=PLAIN, rip=::ffff:207.234.131.201, lip=::ffff:74.54.185.109
> Jan 30 09:37:55 srv1 dovecot: pop3-login: Aborted login: user=<account>,
> method=PLAIN, rip=::ffff:207.234.131.201, lip=::ffff:74.54.185.106
> Jan 30 09:37:55 srv1 dovecot: pop3-login: Aborted login: user=<contact>,
> method=PLAIN, rip=::ffff:207.234.131.201, lip=::ffff:74.54.185.107
> Jan 30 09:37:55 srv1 dovecot: pop3-login: Aborted login: user=<access>,
> method=PLAIN, rip=::ffff:207.234.131.201, lip=::ffff:74.54.185.99
> Jan 30 09:37:55 srv1 dovecot: pop3-login: Aborted login: user=<abuse>,
> method=PLAIN, rip=::ffff:207.234.131.201, lip=::ffff:74.54.185.98
> Jan 30 09:37:55 srv1 dovecot: pop3-login: Aborted login: user=<service>,
> method=PLAIN, rip=::ffff:207.234.131.201, lip=::ffff:74.54.185.108
> Jan 30 09:37:55 srv1 dovecot: pop3-login: Aborted login: user=<test>,
> method=PLAIN, rip=::ffff:207.234.131.201, lip=::ffff:74.54.185.106

It looks like an attempt to enumerate account/passwords.

Since you said (in another post) you run a public service, the chances
of success are quite good.

If dovecot can limit the number of accesses on any basis (account name,
source IP address) use that.

You can use iptables to rate the limit of incoming connexions. I only
maintain private services without many users, I can use a low threshold.
The limit's per rule, you could use lower thresholds for areas where you
have few clients.

There is a third-party package (FOSS I'm sure) that someone mentioned on
another (probably fedora) list; aim google at a list of RH lists and
search for combinations of my name, iptables and (maybe) ssh, probably
you will find it. Reportedly it can limit access from individual IP
addresses. I presume it reads your log files.




--

Cheers
John

-- spambait
1aaaaaaa@(protected)
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

_______________________________________________
rhelv5-list mailing list
rhelv5-list@(protected)
https://www.redhat.com/mailman/listinfo/rhelv5-list
©2008 redhatconfig.com - Jax Systems, LLC, U.S.A.