You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-user@james.apache.org by Bernd Waibel <BW...@intarsys.de> on 2016/09/21 07:58:56 UTC
AW: strange AUTH LOGIN attempts [unsigned]
Hi,
welcome to the world of mail! Yes, these are AUTH LOGIN attacks.
We have a lot of them in our production environment....
These attacks are really silly attacks, cause they just want to guess user and password.
Because there are no "standard users" with "standard passwords" in James, this is not very effective.
The attacks could be ignored, if you have strong passwords.
But I personally don't like them, and so I just block them. ;-)
We block any IP address for 7 days (604800 seconds), if they try to do a failed AUTH LOGIN attempt more than 1 times.
Maybe 7 days is a little bit strict, but, ok, we do not have mailboxes, and we do not have AUTH LOGIN.
For that we use "fail2ban", running on linux.
Fail2ban just scans logfiles, and blocks any IP address (using iptables) completely if an attempt occurred more than x times.
We did a very short extension to James2 (cause James2 did not log the IP on an AUTH LOGIN).
The code is currently not on github, sorry, just did not have time to push it there.
But James3 do offer the IP address, so Fail2ban could be used without changing the AUTH handler.
I did a documentation, please see:
http://wiki.intarsys.de/confluence/display/SMG/Firewall
(Sorry, most pages there are in German language, but this single description is in English. Now.)
This is not an advertisement. It is just documented there.
You need to change the regex for James3, just work to do.
Just to think about.
Best regards
Bernd Waibel
-----Ursprüngliche Nachricht-----
Von: li hai ming [mailto:haiming.li@outlook.com]
Gesendet: Mittwoch, 21. September 2016 08:06
An: 'James Users List' <se...@james.apache.org>
Betreff: strange AUTH LOGIN attempts
Hi,
We now have v3-beta4 up and running.
However from james-server.log, we found there are a lot of unexpected AUTH LOGIN attempts from various strange sources.
Are those the attacks?
suggestion?
##
INFO 00:06:22,975 | james.smtpserver | Id='2098591536' User='' Connection established from 187.252.93.3
INFO 00:06:26,133 | james.smtpserver | Id='2098591536' User='' Connection closed for 187.252.93.3
INFO 00:15:33,880 | james.smtpserver | Id='509431079' User='' Connection established from 61.178.63.245
ERROR 00:15:34,296 | james.smtpserver | Id='509431079' User='' AUTH method LOGIN failed from cyrus@61.178.63.245<ma...@61.178.63.245>
INFO 00:15:34,386 | james.smtpserver | Id='509431079' User='' Connection closed for 61.178.63.245
INFO 00:21:14,836 | james.pop3server | Id='49137796' User='' Connection established from 80.82.64.102
INFO 00:21:16,996 | james.pop3server | Id='49137796' User='info@sinceritylife.com' Connection closed for 80.82.64.102
INFO 00:23:54,475 | james.pop3server | Id='918936989' User='' Connection established from 103.7.29.243
INFO 00:23:54,484 | james.pop3server | Id='918936989' User='' Connection closed for 103.7.29.243
INFO 00:29:19,918 | james.smtpserver | Id='413543743' User='' Connection established from 104.46.59.55
ERROR 00:29:21,673 | james.smtpserver | Id='413543743' User='' AUTH method LOGIN failed from postmaster@104.46.59.55<ma...@104.46.59.55>
INFO 00:29:22,108 | james.smtpserver | Id='413543743' User='' Connection closed for 104.46.59.55
INFO 00:30:31,950 | james.smtpserver | Id='716855054' User='' Connection established from 189.209.180.242
ERROR 00:30:34,510 | james.smtpserver | Id='716855054' User='' AUTH method LOGIN failed from test@189.209.180.242<ma...@189.209.180.242>
INFO 00:30:34,902 | james.smtpserver | Id='716855054' User='' Connection closed for 189.209.180.242
INFO 00:31:35,160 | james.smtpserver | Id='610922472' User='' Connection established from 201.229.95.217
INFO 00:31:40,163 | james.smtpserver | Id='610922472' User='' Connection closed for 201.229.95.217
INFO 00:32:41,364 | james.smtpserver | Id='1318912965' User='' Connection established from 61.178.63.245
ERROR 00:32:41,763 | james.smtpserver | Id='1318912965' User='' AUTH method LOGIN failed from scanner@61.178.63.245<ma...@61.178.63.245>
INFO 00:32:41,865 | james.smtpserver | Id='1318912965' User='' Connection closed for 61.178.63.245
INFO 00:34:57,947 | james.smtpserver | Id='270448469' User='' Connection established from 190.5.243.186
ERROR 00:34:59,908 | james.smtpserver | Id='270448469' User='' AUTH method LOGIN failed from aa@190.5.243.186<ma...@190.5.243.186>
INFO 00:35:00,429 | james.smtpserver | Id='270448469' User='' Connection closed for 190.5.243.186
INFO 00:36:05,353 | james.smtpserver | Id='452588681' User='' Connection established from 118.71.251.67
ERROR 00:36:05,792 | james.smtpserver | Id='452588681' User='' AUTH method LOGIN failed from test1@118.71.251.67<ma...@118.71.251.67>
INFO 00:36:05,899 | james.smtpserver | Id='452588681' User='' Connection closed for 118.71.251.67
INFO 00:37:12,101 | james.smtpserver | Id='1188738536' User='' Connection established from 146.164.144.232
ERROR 00:37:17,645 | james.smtpserver | Id='1188738536' User='' AUTH method LOGIN failed from reception@146.164.144.232<ma...@146.164.144.232>
INFO 00:37:18,952 | james.smtpserver | Id='1188738536' User='' Connection closed for 146.164.144.232
INFO 00:38:21,867 | james.smtpserver | Id='464398686' User='' Connection established from 187.51.48.114
ERROR 00:38:23,612 | james.smtpserver | Id='464398686' User='' AUTH method LOGIN failed from backup@187.51.48.114<ma...@187.51.48.114>
INFO 00:38:24,046 | james.smtpserver | Id='464398686' User='' Connection closed for 187.51.48.114
INFO 00:39:35,275 | james.smtpserver | Id='1748387045' User='' Connection established from 187.51.48.114
ERROR 00:39:37,443 | james.smtpserver | Id='1748387045' User='' AUTH method LOGIN failed from user@187.51.48.114<ma...@187.51.48.114>
##
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
AW: AW: strange AUTH LOGIN attempts [unsigned]
Posted by Bernd Waibel <BW...@intarsys.de>.
Hi David,
you're welcome.
Fail2ban does an un-ban after a while.
So the IPs are blocked only for the "bantime" seconds, then they are freed.
Fail2ban is really good for the daily attacks, and for the "try an password" attempts.
It does not help if you get attacked by an botnet with an aim of an DDoS.
Bad times, since we get Crime-as-a-service.
Best regards
Bernd Waibel
-----Ursprüngliche Nachricht-----
Von: David Legg [mailto:david.legg@searchevent.co.uk]
Gesendet: Donnerstag, 22. September 2016 19:51
An: server-user@james.apache.org
Betreff: Re: AW: strange AUTH LOGIN attempts [unsigned]
Hi Bernd,
Thanks for the fail2ban tip!
Out of curiosity do you un-ban the failed IP addresses after a while?
My worry would be that iptables would slow down a lot if it had to scan
several thousand IP addresses for every packet it received?
In the early days it was possible to manually ban certain IP addresses
if they were a menace. These days the bot nets seem to be able to
attack the mail server with thousands of unique IP addresses.
Regards,
David Legg
On 21/09/16 08:58, Bernd Waibel wrote:
> Hi,
>
> welcome to the world of mail! Yes, these are AUTH LOGIN attacks.
> We have a lot of them in our production environment....
>
> These attacks are really silly attacks, cause they just want to guess user and password.
> Because there are no "standard users" with "standard passwords" in James, this is not very effective.
> The attacks could be ignored, if you have strong passwords.
>
> But I personally don't like them, and so I just block them. ;-)
> We block any IP address for 7 days (604800 seconds), if they try to do a failed AUTH LOGIN attempt more than 1 times.
> Maybe 7 days is a little bit strict, but, ok, we do not have mailboxes, and we do not have AUTH LOGIN.
>
> For that we use "fail2ban", running on linux.
> Fail2ban just scans logfiles, and blocks any IP address (using iptables) completely if an attempt occurred more than x times.
>
> We did a very short extension to James2 (cause James2 did not log the IP on an AUTH LOGIN).
> The code is currently not on github, sorry, just did not have time to push it there.
> But James3 do offer the IP address, so Fail2ban could be used without changing the AUTH handler.
>
> I did a documentation, please see:
> http://wiki.intarsys.de/confluence/display/SMG/Firewall
> (Sorry, most pages there are in German language, but this single description is in English. Now.)
> This is not an advertisement. It is just documented there.
>
> You need to change the regex for James3, just work to do.
> Just to think about.
>
> Best regards
> Bernd Waibel
> -----Ursprüngliche Nachricht-----
> Von: li hai ming [mailto:haiming.li@outlook.com]
> Gesendet: Mittwoch, 21. September 2016 08:06
> An: 'James Users List' <se...@james.apache.org>
> Betreff: strange AUTH LOGIN attempts
>
> Hi,
>
> We now have v3-beta4 up and running.
>
>
> However from james-server.log, we found there are a lot of unexpected AUTH LOGIN attempts from various strange sources.
>
>
>
> Are those the attacks?
>
>
>
> suggestion?
>
>
> ##
>
> INFO 00:06:22,975 | james.smtpserver | Id='2098591536' User='' Connection established from 187.252.93.3
>
> INFO 00:06:26,133 | james.smtpserver | Id='2098591536' User='' Connection closed for 187.252.93.3
>
> INFO 00:15:33,880 | james.smtpserver | Id='509431079' User='' Connection established from 61.178.63.245
>
> ERROR 00:15:34,296 | james.smtpserver | Id='509431079' User='' AUTH method LOGIN failed from cyrus@61.178.63.245<ma...@61.178.63.245>
>
> INFO 00:15:34,386 | james.smtpserver | Id='509431079' User='' Connection closed for 61.178.63.245
>
> INFO 00:21:14,836 | james.pop3server | Id='49137796' User='' Connection established from 80.82.64.102
>
> INFO 00:21:16,996 | james.pop3server | Id='49137796' User='info@sinceritylife.com' Connection closed for 80.82.64.102
>
> INFO 00:23:54,475 | james.pop3server | Id='918936989' User='' Connection established from 103.7.29.243
>
> INFO 00:23:54,484 | james.pop3server | Id='918936989' User='' Connection closed for 103.7.29.243
>
> INFO 00:29:19,918 | james.smtpserver | Id='413543743' User='' Connection established from 104.46.59.55
>
> ERROR 00:29:21,673 | james.smtpserver | Id='413543743' User='' AUTH method LOGIN failed from postmaster@104.46.59.55<ma...@104.46.59.55>
>
> INFO 00:29:22,108 | james.smtpserver | Id='413543743' User='' Connection closed for 104.46.59.55
>
> INFO 00:30:31,950 | james.smtpserver | Id='716855054' User='' Connection established from 189.209.180.242
>
> ERROR 00:30:34,510 | james.smtpserver | Id='716855054' User='' AUTH method LOGIN failed from test@189.209.180.242<ma...@189.209.180.242>
>
> INFO 00:30:34,902 | james.smtpserver | Id='716855054' User='' Connection closed for 189.209.180.242
>
> INFO 00:31:35,160 | james.smtpserver | Id='610922472' User='' Connection established from 201.229.95.217
>
> INFO 00:31:40,163 | james.smtpserver | Id='610922472' User='' Connection closed for 201.229.95.217
>
> INFO 00:32:41,364 | james.smtpserver | Id='1318912965' User='' Connection established from 61.178.63.245
>
> ERROR 00:32:41,763 | james.smtpserver | Id='1318912965' User='' AUTH method LOGIN failed from scanner@61.178.63.245<ma...@61.178.63.245>
>
> INFO 00:32:41,865 | james.smtpserver | Id='1318912965' User='' Connection closed for 61.178.63.245
>
> INFO 00:34:57,947 | james.smtpserver | Id='270448469' User='' Connection established from 190.5.243.186
>
> ERROR 00:34:59,908 | james.smtpserver | Id='270448469' User='' AUTH method LOGIN failed from aa@190.5.243.186<ma...@190.5.243.186>
>
> INFO 00:35:00,429 | james.smtpserver | Id='270448469' User='' Connection closed for 190.5.243.186
>
> INFO 00:36:05,353 | james.smtpserver | Id='452588681' User='' Connection established from 118.71.251.67
>
> ERROR 00:36:05,792 | james.smtpserver | Id='452588681' User='' AUTH method LOGIN failed from test1@118.71.251.67<ma...@118.71.251.67>
>
> INFO 00:36:05,899 | james.smtpserver | Id='452588681' User='' Connection closed for 118.71.251.67
>
> INFO 00:37:12,101 | james.smtpserver | Id='1188738536' User='' Connection established from 146.164.144.232
>
> ERROR 00:37:17,645 | james.smtpserver | Id='1188738536' User='' AUTH method LOGIN failed from reception@146.164.144.232<ma...@146.164.144.232>
>
> INFO 00:37:18,952 | james.smtpserver | Id='1188738536' User='' Connection closed for 146.164.144.232
>
> INFO 00:38:21,867 | james.smtpserver | Id='464398686' User='' Connection established from 187.51.48.114
>
> ERROR 00:38:23,612 | james.smtpserver | Id='464398686' User='' AUTH method LOGIN failed from backup@187.51.48.114<ma...@187.51.48.114>
>
> INFO 00:38:24,046 | james.smtpserver | Id='464398686' User='' Connection closed for 187.51.48.114
>
> INFO 00:39:35,275 | james.smtpserver | Id='1748387045' User='' Connection established from 187.51.48.114
>
> ERROR 00:39:37,443 | james.smtpserver | Id='1748387045' User='' AUTH method LOGIN failed from user@187.51.48.114<ma...@187.51.48.114>
>
> ##
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: AW: strange AUTH LOGIN attempts [unsigned]
Posted by David Legg <da...@searchevent.co.uk>.
Hi Bernd,
Thanks for the fail2ban tip!
Out of curiosity do you un-ban the failed IP addresses after a while?
My worry would be that iptables would slow down a lot if it had to scan
several thousand IP addresses for every packet it received?
In the early days it was possible to manually ban certain IP addresses
if they were a menace. These days the bot nets seem to be able to
attack the mail server with thousands of unique IP addresses.
Regards,
David Legg
On 21/09/16 08:58, Bernd Waibel wrote:
> Hi,
>
> welcome to the world of mail! Yes, these are AUTH LOGIN attacks.
> We have a lot of them in our production environment....
>
> These attacks are really silly attacks, cause they just want to guess user and password.
> Because there are no "standard users" with "standard passwords" in James, this is not very effective.
> The attacks could be ignored, if you have strong passwords.
>
> But I personally don't like them, and so I just block them. ;-)
> We block any IP address for 7 days (604800 seconds), if they try to do a failed AUTH LOGIN attempt more than 1 times.
> Maybe 7 days is a little bit strict, but, ok, we do not have mailboxes, and we do not have AUTH LOGIN.
>
> For that we use "fail2ban", running on linux.
> Fail2ban just scans logfiles, and blocks any IP address (using iptables) completely if an attempt occurred more than x times.
>
> We did a very short extension to James2 (cause James2 did not log the IP on an AUTH LOGIN).
> The code is currently not on github, sorry, just did not have time to push it there.
> But James3 do offer the IP address, so Fail2ban could be used without changing the AUTH handler.
>
> I did a documentation, please see:
> http://wiki.intarsys.de/confluence/display/SMG/Firewall
> (Sorry, most pages there are in German language, but this single description is in English. Now.)
> This is not an advertisement. It is just documented there.
>
> You need to change the regex for James3, just work to do.
> Just to think about.
>
> Best regards
> Bernd Waibel
> -----Ursprngliche Nachricht-----
> Von: li hai ming [mailto:haiming.li@outlook.com]
> Gesendet: Mittwoch, 21. September 2016 08:06
> An: 'James Users List' <se...@james.apache.org>
> Betreff: strange AUTH LOGIN attempts
>
> Hi,
>
> We now have v3-beta4 up and running.
>
>
> However from james-server.log, we found there are a lot of unexpected AUTH LOGIN attempts from various strange sources.
>
>
>
> Are those the attacks?
>
>
>
> suggestion?
>
>
> ##
>
> INFO 00:06:22,975 | james.smtpserver | Id='2098591536' User='' Connection established from 187.252.93.3
>
> INFO 00:06:26,133 | james.smtpserver | Id='2098591536' User='' Connection closed for 187.252.93.3
>
> INFO 00:15:33,880 | james.smtpserver | Id='509431079' User='' Connection established from 61.178.63.245
>
> ERROR 00:15:34,296 | james.smtpserver | Id='509431079' User='' AUTH method LOGIN failed from cyrus@61.178.63.245<ma...@61.178.63.245>
>
> INFO 00:15:34,386 | james.smtpserver | Id='509431079' User='' Connection closed for 61.178.63.245
>
> INFO 00:21:14,836 | james.pop3server | Id='49137796' User='' Connection established from 80.82.64.102
>
> INFO 00:21:16,996 | james.pop3server | Id='49137796' User='info@sinceritylife.com' Connection closed for 80.82.64.102
>
> INFO 00:23:54,475 | james.pop3server | Id='918936989' User='' Connection established from 103.7.29.243
>
> INFO 00:23:54,484 | james.pop3server | Id='918936989' User='' Connection closed for 103.7.29.243
>
> INFO 00:29:19,918 | james.smtpserver | Id='413543743' User='' Connection established from 104.46.59.55
>
> ERROR 00:29:21,673 | james.smtpserver | Id='413543743' User='' AUTH method LOGIN failed from postmaster@104.46.59.55<ma...@104.46.59.55>
>
> INFO 00:29:22,108 | james.smtpserver | Id='413543743' User='' Connection closed for 104.46.59.55
>
> INFO 00:30:31,950 | james.smtpserver | Id='716855054' User='' Connection established from 189.209.180.242
>
> ERROR 00:30:34,510 | james.smtpserver | Id='716855054' User='' AUTH method LOGIN failed from test@189.209.180.242<ma...@189.209.180.242>
>
> INFO 00:30:34,902 | james.smtpserver | Id='716855054' User='' Connection closed for 189.209.180.242
>
> INFO 00:31:35,160 | james.smtpserver | Id='610922472' User='' Connection established from 201.229.95.217
>
> INFO 00:31:40,163 | james.smtpserver | Id='610922472' User='' Connection closed for 201.229.95.217
>
> INFO 00:32:41,364 | james.smtpserver | Id='1318912965' User='' Connection established from 61.178.63.245
>
> ERROR 00:32:41,763 | james.smtpserver | Id='1318912965' User='' AUTH method LOGIN failed from scanner@61.178.63.245<ma...@61.178.63.245>
>
> INFO 00:32:41,865 | james.smtpserver | Id='1318912965' User='' Connection closed for 61.178.63.245
>
> INFO 00:34:57,947 | james.smtpserver | Id='270448469' User='' Connection established from 190.5.243.186
>
> ERROR 00:34:59,908 | james.smtpserver | Id='270448469' User='' AUTH method LOGIN failed from aa@190.5.243.186<ma...@190.5.243.186>
>
> INFO 00:35:00,429 | james.smtpserver | Id='270448469' User='' Connection closed for 190.5.243.186
>
> INFO 00:36:05,353 | james.smtpserver | Id='452588681' User='' Connection established from 118.71.251.67
>
> ERROR 00:36:05,792 | james.smtpserver | Id='452588681' User='' AUTH method LOGIN failed from test1@118.71.251.67<ma...@118.71.251.67>
>
> INFO 00:36:05,899 | james.smtpserver | Id='452588681' User='' Connection closed for 118.71.251.67
>
> INFO 00:37:12,101 | james.smtpserver | Id='1188738536' User='' Connection established from 146.164.144.232
>
> ERROR 00:37:17,645 | james.smtpserver | Id='1188738536' User='' AUTH method LOGIN failed from reception@146.164.144.232<ma...@146.164.144.232>
>
> INFO 00:37:18,952 | james.smtpserver | Id='1188738536' User='' Connection closed for 146.164.144.232
>
> INFO 00:38:21,867 | james.smtpserver | Id='464398686' User='' Connection established from 187.51.48.114
>
> ERROR 00:38:23,612 | james.smtpserver | Id='464398686' User='' AUTH method LOGIN failed from backup@187.51.48.114<ma...@187.51.48.114>
>
> INFO 00:38:24,046 | james.smtpserver | Id='464398686' User='' Connection closed for 187.51.48.114
>
> INFO 00:39:35,275 | james.smtpserver | Id='1748387045' User='' Connection established from 187.51.48.114
>
> ERROR 00:39:37,443 | james.smtpserver | Id='1748387045' User='' AUTH method LOGIN failed from user@187.51.48.114<ma...@187.51.48.114>
>
> ##
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org