Results 1 to 9 of 9

Thread: BFM & Dovecot: Disconnected no auth attempts

  1. #1
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023

    BFM & Dovecot: Disconnected no auth attempts

    Hello,

    We are facing a strange issue with BFM & Dovecot. An IP of a customer got blocked, during the investigation we did not find any attempts to login with a wrong password, but we see a lot of similar messages on BFM page in directadmin:

    Code:
    pop3-login: Disconnected (no auth attempts in 110 secs): user=<>, rip=195.bb2.cc.69, lip=195.bb.cc.19, TLS: SSL_read() syscall failed: Connection timed out, session=<1V0sh2XJRQDDUp1F>
    Code:
     pop3-login: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=195.bb.cc.69, lip=195.bb.cc.19, session=<Koa1DmPJUQDDUp1F>
    and so on:

    Code:
    Aborted login (auth failed, 1 attempts in 2 secs): 
    Disconnected (no auth attempts in 0 secs):
    Aborted login (no auth attempts in 0 secs):
    And here (http://wiki.dovecot.org/WhyDoesItNotWork) we can find some explanation:

    Aborted login (no auth attempts) means that the client isn't even attempting to log in. Most likely you have disable_plaintext_auth=yes (default) and the client isn't configured to use SSL/TLS (or you've also set ssl=no).

    So it seams we are facing an issue with SSL/TLS, but not a hacking attempt, but it seems Directadmin counts such messages and blocks the IP. Please check whether directadmin really blocks IP in such a case, and I'd really like you to review this policy and maybe ignore such lines.
    Last edited by zEitEr; 09-11-2012 at 12:01 AM.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  2. #2
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    It may or may not be a hacking attempt, but if someone repeatedly tries to login using an unsupported protocol, what would you call it? My guess is that if someone is trying over and over again to log in to your server using an unsupported protocol, they're probably trying to get in, and not succeeding.

    And even if not, even if it's your user, wouldn't you want to know about it?

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  3. #3
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    I was not successful in recreating the situation and I did not manage to make those lines appear with my IP, so I'm not really sure, why these messages appear. In this case I can only rely on what is written on wiki.dovecot.org is the the only real reason. Unless there is a vulnerability in dovecot and somebody tries to use it.

    But still it said, if Dovecot is allowed to accept only SSL/TLS, why should we block a user if he/she tries to login using an encrypted connection?
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  4. #4
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    Quote Originally Posted by zEitEr View Post
    But still it said, if Dovecot is allowed to accept only SSL/TLS, why should we block a user if he/she tries to login using an encrypted connection?
    Possibly because he's someone trying to get in to your server? A bad guy, who you should want to block in case he tries some other method? Or possibly because he's a client of yours and will leave without notice or paying if he can't get his email?

    Note, Alex, that I'm not trying to tell you how to run your business; I'm only answering the question .

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  5. #5
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    OK, this must be an invalid login:

    Code:
    Aborted login (auth failed, 1 attempts in 2 secs):
    Today's log contains only 3 such records.

    But, in logs I see more records with

    Code:
    Aborted login (no auth attempts
    and all of them are made with a TLS:

    Code:
    Sep 14 13:18:54 server dovecot: pop3-login: Aborted login (no auth attempts in 2 secs): user=<>, rip=33.33.33.33, lip=22.22.22.22, TLS, session=<6mn7ZaPJpgAuMGYh>
    Sep 14 13:28:54 server dovecot: pop3-login: Aborted login (no auth attempts in 2 secs): user=<>, rip=33.33.33.33, lip=22.22.22.22, TLS, session=<1vW0iaPJtQAuMGYh>

    OK, I've tested, I added a POP3 account into my mail program, and disable plain password authentication in this settings (but on server I still got plain text authentication enabled), and this is translated with Google error message, which my program gave me:

    We could not send or receive messages for the account server.domain.com (admin). Program, Windows Live Mail could not log on to the server using Secure Password Authentication. Refer to the email service provider and make sure that it supports secure password authentication. To change this entry in the folder list, click the name of the account, right-click, and then click "Properties" from the context menu. In the menu "Properties", click the "Server" tab, and then in the "Incoming Mail Server" select input.

    The server responded:.
    Server: 'server.domain.com'
    Error code of the program Mail Windows Live: 0x800CCC18
    Protocol: POP3
    Port: 110
    Protection (SSL): No
    And on server in logs I see:

    Code:
    Sep 14 14:20:17 server dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=11.11.11.11, lip=22.22.22.22, session=<oll6QaTJ5gDDPjQC>
    The same if I try to connect to dovecot on 110 port with enabled in mail program SSL.

    I'm not sure, that this particular case is good to treat as a brute force attack. What do I miss?

    Please, anybody who has anything else to say, don't hesitate to do it.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  6. #6
    Join Date
    Sep 2012
    Posts
    1
    Quote Originally Posted by zEitEr View Post
    OK, this must be an invalid login:

    Code:
    Aborted login (auth failed, 1 attempts in 2 secs):
    Today's log contains only 3 such records.

    But, in logs I see more records with

    Code:
    Aborted login (no auth attempts
    and all of them are made with a TLS:

    Code:
    Sep 14 13:18:54 server dovecot: pop3-login: Aborted login (no auth attempts in 2 secs): user=<>, rip=33.33.33.33, lip=22.22.22.22, TLS, session=<6mn7ZaPJpgAuMGYh>
    Sep 14 13:28:54 server dovecot: pop3-login: Aborted login (no auth attempts in 2 secs): user=<>, rip=33.33.33.33, lip=22.22.22.22, TLS, session=<1vW0iaPJtQAuMGYh>
    Please, anybody who has anything else to say, don't hesitate to do it.

    I've had the same messages the past couple of days, and tracked it down to the fact that I updated the SSL cert for dovecot. Since my cert is self-signed, most clients will require you to manually accept it at least once, and will bail out after the SSL negotiation but before the auth stage otherwise.

    In my specific client (K-9 mail on android) I had to explicitly go through the account settings again to make it show me the "invalid certificate" warning; getting mail would just fail silently with the "no auth attempts" message logged on the server.

  7. #7
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    OK, that might be the reason, anyway, that's very near to my situation. Yes, I've checked it with SSL. I'm not even sure, what the cert is installed there for exim and dovecot, but the last modified date goes back into 2010 year. And if i don't accept cert in my mail program it give the error:

    Code:
    Sep 14 22:17:52 shared1 dovecot: pop3-login: Disconnected (no auth attempts in 5 secs): user=<>, rip=11.11.11.11, lip=22.22.22.22, TLS: SSL_read() syscall failed: Connection reset by peer, session=<FNx47arJ4gBtrj4Z>
    So again we have here

    Code:
    Disconnected (no auth attempts
    And what if for a moment we try to imagine a situation when a valid cert expired and a mail program still tries to connect to a server... and if we multiply these tries on a quantity of computers in a small organization, where all workers connect to internet through a single router which has one external IP. If one single user checks email once per 5 minute, we've got 12 tries per hour from him, for organization of 10 employees it would be 120 tries per hour, and the IP gets blocked within one hour. Then an administrator of the organization should check what happens and contact with us.... it takes time. Of course it would be our fault not to keep the cert updated... but nevertheless I really think brute force policy should be reviewed.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  8. #8
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    With ProFTPd we've got also wrong counting, when having MaxLoginAttempts set to 1:

    Code:
            #
            # The MaxLoginAttempts directive configures the maximum number of times a client may
            # attempt to authenticate to the server during a given connection. After the number
            # of attempts exceeds this value, the user is disconnected and an appropriate message
            # is logged via the syslog mechanism.
            MaxLoginAttempts        1
    Here you can see:

    Code:
    13488505810000	61.bb.cc.231	user1	1	proftpd1	Sep 26 01:43:46 da proftpd[11894]: 109.bbb.ccc.ddd (61.bb.cc.231[61.bb.cc.231]) - USER user1: no such user found from 61.bb.cc.231 [61.bb.cc.231] to 109.bbb.ccc.ddd:21 
    13488505810001	61.bb.cc.231		1	proftpd3	Sep 26 01:43:46 da proftpd[11894]: 109.bbb.ccc.ddd (61.bb.cc.231[61.bb.cc.231]) - Maximum login attempts (1) exceeded, connection refused 
    13488505810002	61.bb.cc.231	user1	1	proftpd1	Sep 26 01:44:27 da proftpd[13556]: 109.bbb.ccc.ddd (61.bb.cc.231[61.bb.cc.231]) - USER user1: no such user found from 61.bb.cc.231 [61.bb.cc.231] to 109.bbb.ccc.ddd:21 
    13488505810003	61.bb.cc.231		1	proftpd3	Sep 26 01:44:27 da proftpd[13556]: 109.bbb.ccc.ddd (61.bb.cc.231[61.bb.cc.231]) - Maximum login attempts (1) exceeded, connection refused 
    13488505820030	61.bb.cc.231	user1	1	proftpd1	Sep 27 14:17:47 da proftpd[20007]: 109.bbb.ccc.ddd (61.bb.cc.231[61.bb.cc.231]) - USER user1: no such user found from 61.bb.cc.231 [61.bb.cc.231] to 109.bbb.ccc.ddd:21 
    13488505820031	61.bb.cc.231		1	proftpd3	Sep 27 14:17:47 da proftpd[20007]: 109.bbb.ccc.ddd (61.bb.cc.231[61.bb.cc.231]) - Maximum login attempts (1) exceeded, connection refused 
    13488505820032	61.bb.cc.231	user1	1	proftpd1	Sep 28 04:12:10 da proftpd[20411]: 109.bbb.ccc.ddd (61.bb.cc.231[61.bb.cc.231]) - USER user1: no such user found from 61.bb.cc.231 [61.bb.cc.231] to 109.bbb.ccc.ddd:21 
    13488505820033	61.bb.cc.231		1	proftpd3	Sep 28 04:12:10 da proftpd[20411]: 109.bbb.ccc.ddd (61.bb.cc.231[61.bb.cc.231]) - Maximum login attempts (1) exceeded, connection refused 
    13488505820034	61.bb.cc.231	user1	1	proftpd1	Sep 28 04:51:22 da proftpd[9649]: 109.bbb.ccc.ddd (61.bb.cc.231[61.bb.cc.231]) - USER user1: no such user found from 61.bb.cc.231 [61.bb.cc.231] to 109.bbb.ccc.ddd:21 
    13488505820035	61.bb.cc.231		1	proftpd3	Sep 28 04:51:22 da proftpd[9649]: 109.bbb.ccc.ddd (61.bb.cc.231[61.bb.cc.231]) - Maximum login attempts (1) exceeded, connection refused

    That every login try is counted twice, which is definitely wrong, as I see it.
    So please, consider to fix it also.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  9. #9
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    I somehow missed and found just now this file brute_filter.list. So I guess the desired exceptions can be added manually into a customized versions of the filter file.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

Similar Threads

  1. disconnected during installation
    By zafirous1939 in forum Installation / System Requirements
    Replies: 2
    Last Post: 09-22-2012, 01:28 AM
  2. Replies: 1
    Last Post: 07-04-2008, 12:49 AM
  3. Replies: 1
    Last Post: 02-25-2008, 10:15 AM
  4. [Dovecot-news] Security hole #4: Specific LDAP + auth cache configuration may mix up
    By CoolZero in forum Required Software Version Updates
    Replies: 0
    Last Post: 12-20-2007, 11:37 PM
  5. post attempts
    By computerlady911 in forum General Technical Discussion & Troubleshooting
    Replies: 4
    Last Post: 03-04-2007, 10:57 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •