Koozali.org: home of the SME Server

Attacks from *.virtua.com.br

Offline holck

  • ****
  • 317
  • +1/-0
Attacks from *.virtua.com.br
« on: November 23, 2017, 10:32:49 PM »
I have lots and lots of these attempts to login via sqpsmtpd:

Code: [Select]
2017-11-23 18:37:11.686105500 26034 (deny) logging::logterse: ` 186.204.177.202 baccb1ca.virtua.com.br  127.0.0.1                       auth::auth_cvm_unix_local       901     auth failure (100)      msg denied before queued
2017-11-23 18:37:13.089513500 26034 (deny) logging::logterse: ` 186.204.177.202 baccb1ca.virtua.com.br  127.0.0.1                       auth::auth_cvm_unix_local       901     auth failure (100)      msg denied before queued
2017-11-23 19:00:52.895133500 27027 (deny) logging::logterse: ` 179.158.142.111 b39e8e6f.virtua.com.br  127.0.0.1                       auth::auth_cvm_unix_local       901     auth failure (100)      msg denied before queued
2017-11-23 19:00:54.392623500 27027 (deny) logging::logterse: ` 179.158.142.111 b39e8e6f.virtua.com.br  127.0.0.1                       auth::auth_cvm_unix_local       901     auth failure (100)      msg denied before queued

The same pattern goes on and on. Two attempts from one IP-address, a short break, two attempts from a new IP-address etc. etc. Fail2ban doesn't block these attempts because the IP-addresses change. I've counted well over 500 different IP-addresses in my log.

Do someone have an opinion or piece of good advice?

Jesper Holck, Denmark
« Last Edit: November 23, 2017, 10:54:07 PM by holck »
......

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Attacks from *.virtua.com.br
« Reply #1 on: November 24, 2017, 05:34:45 AM »
you can either change the rules and make them more stricts


or you can use fail2ban command line to ban those IP if you feel this is an exceptional situation

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Attacks from *.virtua.com.br
« Reply #2 on: November 24, 2017, 10:41:39 AM »
holck

Stop worrying. Did anyone who is not authorized actually gain access to your mail server ?
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Attacks from *.virtua.com.br
« Reply #3 on: November 24, 2017, 12:55:52 PM »
The two IPs in your example are both in Brazill according to ipinfo.io.

The GeoIP contrib will let you block qpsmtpd from receiving email by country, but I don't know if that will affect authentication attempts.

Check for the offending IPs in the rest of the qpsmtpd log; on my server I found that the new "naughty" plugin was letting unwanted hosts attempt multiple logins from hosts that would otherwise have been blocked from connecting after 'helo':
https://forums.contribs.org/index.php/topic,53223.0.html

Offline holck

  • ****
  • 317
  • +1/-0
Re: Attacks from *.virtua.com.br
« Reply #4 on: November 26, 2017, 09:55:10 AM »
Thanks for your good comments. None of these attempts have been successful - so far.

I consider the attack a slow brute-force attack.  I can in /var/log/cvm/current see that the attack focuses on a limited number of accounts, some of which have been closed for some time, others still active.

I'm somewhat impressed by the number of IP-addresses involved. During the past two weeks, the attack has come from 735 different IP-addresses. Most addresses are only used for one or two attempts. The attack is still going on, from new IP-addresses.

Is there a way to block mail-delivery from hosts where the reverse DNS of the IP-address matches *.virtua.com.br ? I guess no well-behaved mail-server will be blocked by this?

Jesper Holck, Denmark
......

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Attacks from *.virtua.com.br
« Reply #5 on: November 26, 2017, 02:05:06 PM »
Quote from: perldoc /usr/share/qpsmtpd/plugins/logging/logterse
This info is then passed to the real logging subsystem as a single line with colon-separated fields as follows:

       1. remote ip
       2. remote hostname
       3. helo host
       4. envelope sender
       5. recipient (comma-separated list if more than one)
       6. name of plugin that called DENY, or the string ’queued’ if message was accepted.
       7. return value of DENY plugin (empty if message was queued).
       8. the DENY message, or the message-id if it was queued.
       9. details of spammassassin scores if messaged was accepted or denied due to score requiring rejection or ’msg denied before queued’ if other
       rejections occur.

The third field in your examples - 'helohost' - is "127.0.0.1".

This would be denied by the 'helo' plugin if it was not configured to use 'naughty'.  The post I linked earlier is specifically aimed at reconfiguring 'helo' to prevent login attempts from malicious hosts like this.

Without changing the 'naughty' behavior, even adding '127.0.0.1' to /var/service/qpsmtpd/config/badhelo won't help.



Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: Attacks from *.virtua.com.br
« Reply #6 on: November 28, 2017, 10:35:12 AM »
Thanks for your good comments. None of these attempts have been successful - so far.

I consider the attack a slow brute-force attack.  I can in /var/log/cvm/current see that the attack focuses on a limited number of accounts, some of which have been closed for some time, others still active.

I'm somewhat impressed by the number of IP-addresses involved. During the past two weeks, the attack has come from 735 different IP-addresses. Most addresses are only used for one or two attempts. The attack is still going on, from new IP-addresses.

Is there a way to block mail-delivery from hosts where the reverse DNS of the IP-address matches *.virtua.com.br ? I guess no well-behaved mail-server will be blocked by this?

Jesper Holck, Denmark

You might think about an external firewall. Something like pfsense or opnsense. Easy to block anything you want...
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Attacks from *.virtua.com.br
« Reply #7 on: November 28, 2017, 03:13:10 PM »
well SME has a firewall integrated, and hence can block anything you want without paying for an extra machine and the related electricity, and extra management, see
https://wiki.contribs.org/Firewall

while the naughty behavior is an improvement in a lot of situation, the particular case where nobody has to login from remote location, or will not use port 25 let me thing of two things:

- either the default should be to keep helo host as deny, unless you set in the manager allow remote auth before denying
- either the option to deny before auth should be easily available  and documented.

I suggest you open a NFR request for that.

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: Attacks from *.virtua.com.br
« Reply #8 on: November 28, 2017, 05:40:00 PM »
well SME has a firewall integrated, and hence can block anything you want without paying for an extra machine and the related electricity, and extra management, see
https://wiki.contribs.org/Firewall

I know.

On a server I like to have the sme-style, where still a lot of things can be done under the hood (cli). Speaking for me (and only for me), for a firewall I like to have a gui.

regards,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline Jáder

  • *
  • 1,099
  • +0/-0
    • LinuxFacil
Re: Attacks from *.virtua.com.br
« Reply #9 on: December 09, 2017, 11:23:14 AM »
The two IPs in your example are both in Brazill according to ipinfo.io.

Hi,
I live in Brazil, so let me tell you something: virtua.com.br is THE major cable company here. COUNTRY WIDE! So they have MILLIONS of users.

I suggest you to find out a workaround using the naughty + helo OR BLOCK entire domain (*.virtua.com.br).
Filtering by IP would prove daunting!
...

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Attacks from *.virtua.com.br
« Reply #10 on: December 12, 2017, 12:55:32 AM »
I suggest you to find out a workaround using the naughty + helo OR BLOCK entire domain (*.virtua.com.br).
Filtering by IP would prove daunting!

Or follow Janet's advice and stop worrying if nothing untoward has actually happened.