Koozali.org: home of the SME Server

qpsmtpd - default 'helo' configuration seems to allow dictionary attack

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: qpsmtpd - default 'helo' configuration seems to allow dictionary attack
« Reply #15 on: September 05, 2017, 02:20:32 PM »
Updates:

1) Email relay from RBL hosts
For what it's worth, I found an entry in my notes from a year or so ago that mobile users using T-Mobile as their cell phone provider were sending email from hosts that would otherwise have been blocked by the 'dnsbl' plugin.  I don't know if this would also apply to the 'helo' plugin if 'HeloReject' is set to '1' instead of 'naughty'.

2) Slow-motion dictionary attacks
I am still getting a consistent 120 failed authentication attempts against qpsmtpd per day.  While it will take a long, long time for an attacker to guess a usable username/password combination on my server, it worries me that someone thinks this is worth doing... especially since the attack seems to have been intentionally slowed down to avoid being banned by fail2ban - which was set to ban for 4 hours after 9 failed attempts in any single hour.

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: qpsmtpd - default 'helo' configuration seems to allow dictionary attack
« Reply #16 on: October 23, 2017, 11:48:31 AM »
Quote
2) Slow-motion dictionary attacks
I am still getting a consistent 120 failed authentication attempts against qpsmtpd per day.  While it will take a long, long time for an attacker to guess a usable username/password combination on my server, it worries me that someone thinks this is worth doing... especially since the attack seems to have been intentionally slowed down to avoid being banned by fail2ban - which was set to ban for 4 hours after 9 failed attempts in any single hour.

Could you explain how you configured this?

I assume:

# config setprop fail2ban BanTime 14400
# config setprop fail2ban FindTime 3600
# signal-event fail2ban-conf

This seems to affect all jails:

2017-10-23 11:47:50,795 fail2ban.server         [13197]: INFO    Changed logging target to /var/log/fail2ban/daemon.log for Fail2ban v0.9.6
2017-10-23 11:47:50,796 fail2ban.database       [13197]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2017-10-23 11:47:50,798 fail2ban.jail           [13197]: INFO    Creating new jail 'ssh'
2017-10-23 11:47:50,836 fail2ban.jail           [13197]: INFO    Jail 'ssh' uses pyinotify {}
2017-10-23 11:47:50,873 fail2ban.jail           [13197]: INFO    Initiated 'pyinotify' backend
2017-10-23 11:47:50,875 fail2ban.filter         [13197]: INFO    Added logfile = /var/log/sshd/current
2017-10-23 11:47:50,876 fail2ban.filter         [13197]: INFO    Set maxRetry = 3
2017-10-23 11:47:50,880 fail2ban.filter         [13197]: INFO    Set findtime = 3600
2017-10-23 11:47:50,880 fail2ban.actions        [13197]: INFO    Set banTime = 14400
2017-10-23 11:47:50,881 fail2ban.filter         [13197]: INFO    Set maxlines = 10
2017-10-23 11:47:51,564 fail2ban.server         [13197]: INFO    Jail ssh is not a JournalFilter instance
2017-10-23 11:47:51,574 fail2ban.jail           [13197]: INFO    Creating new jail 'ssh-ddos'
2017-10-23 11:47:51,574 fail2ban.jail           [13197]: INFO    Jail 'ssh-ddos' uses pyinotify {}
2017-10-23 11:47:51,576 fail2ban.jail           [13197]: INFO    Initiated 'pyinotify' backend
2017-10-23 11:47:51,578 fail2ban.filter         [13197]: INFO    Added logfile = /var/log/sshd/current
2017-10-23 11:47:51,579 fail2ban.filter         [13197]: INFO    Set maxRetry = 3
2017-10-23 11:47:51,583 fail2ban.filter         [13197]: INFO    Set findtime = 3600
2017-10-23 11:47:51,583 fail2ban.actions        [13197]: INFO    Set banTime = 14400
2017-10-23 11:47:51,588 fail2ban.server         [13197]: INFO    Jail ssh-ddos is not a JournalFilter instance
2017-10-23 11:47:51,598 fail2ban.jail           [13197]: INFO    Creating new jail 'imap'
2017-10-23 11:47:51,598 fail2ban.jail           [13197]: INFO    Jail 'imap' uses pyinotify {}
2017-10-23 11:47:51,600 fail2ban.jail           [13197]: INFO    Initiated 'pyinotify' backend
2017-10-23 11:47:51,601 fail2ban.filter         [13197]: INFO    Added logfile = /var/log/dovecot/current
2017-10-23 11:47:51,603 fail2ban.filter         [13197]: INFO    Set maxRetry = 3
2017-10-23 11:47:51,606 fail2ban.filter         [13197]: INFO    Set findtime = 3600
2017-10-23 11:47:51,607 fail2ban.actions        [13197]: INFO    Set banTime = 14400
2017-10-23 11:47:51,679 fail2ban.server         [13197]: INFO    Jail imap is not a JournalFilter instance
2017-10-23 11:47:51,689 fail2ban.jail           [13197]: INFO    Creating new jail 'qpsmtpd'
2017-10-23 11:47:51,689 fail2ban.jail           [13197]: INFO    Jail 'qpsmtpd' uses pyinotify {}
2017-10-23 11:47:51,691 fail2ban.jail           [13197]: INFO    Initiated 'pyinotify' backend
2017-10-23 11:47:51,692 fail2ban.filter         [13197]: INFO    Added logfile = /var/log/qpsmtpd/current
2017-10-23 11:47:51,694 fail2ban.filter         [13197]: INFO    Added logfile = /var/log/sqpsmtpd/current
2017-10-23 11:47:51,695 fail2ban.filter         [13197]: INFO    Set maxRetry = 9
2017-10-23 11:47:51,699 fail2ban.filter         [13197]: INFO    Set findtime = 3600
2017-10-23 11:47:51,699 fail2ban.actions        [13197]: INFO    Set banTime = 14400
2017-10-23 11:47:51,713 fail2ban.jail           [13197]: INFO    Creating new jail 'http-overflows'
2017-10-23 11:47:51,713 fail2ban.jail           [13197]: INFO    Jail 'http-overflows' uses pyinotify {}
2017-10-23 11:47:51,715 fail2ban.jail           [13197]: INFO    Initiated 'pyinotify' backend
2017-10-23 11:47:51,717 fail2ban.filter         [13197]: INFO    Added logfile = /var/log/httpd/error_log
2017-10-23 11:47:51,718 fail2ban.filter         [13197]: INFO    Set maxRetry = 3
2017-10-23 11:47:51,722 fail2ban.filter         [13197]: INFO    Set findtime = 3600
2017-10-23 11:47:51,723 fail2ban.actions        [13197]: INFO    Set banTime = 14400
...

Does it make sense to alter only qpsmtpd? And if so, how could that be done?

regards,
stefan
« Last Edit: October 23, 2017, 11:54:14 AM by SchulzStefan »
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)