Dovecot or Exim problem vs 192.168.2.33

Silvestris

Verified User
Joined
May 30, 2014
Messages
5
Hi, im using directadmin for some time, but its first time i cant find answer to my problem just by using this forum and google :(
and here it is:
for some time im hammered by logins with spoofed ip (192.168.2.33) from random ip's, they login for 3-8 times and almost never again, then some other ip takes over, and daily it goes in thousends...
now - they always use user name without domain, like:
login authenticator failed for ([192.168.2.33]) [xxx.xxx.xxx.xxx]: 535 Incorrect authentication data (set_id=consultant)
login authenticator failed for ([192.168.2.33]) [xxx.xxx.xxx.xxx]: 535 Incorrect authentication data (set_id=jobs)
login authenticator failed for ([192.168.2.33]) [xxx.xxx.xxx.xxx]: 535 Incorrect authentication data (set_id=alan)
and etc... almost always diffrent real ip and diffrent id

now my problem/question:

can i drop somehow silently all users without domain?
im only using logins like: [email protected], [email protected], so ALL only users are invalid for me
or, dont log those attempts at all, so i wont get emails about abuse from them (as i said, no user without domain is valid for my system)
or, ban them somehow right after first attempt if no domain is specified (worst case, sometimes real users are trying to login without domain when they reinstall client and forget to use one)

doing that would drop illegal login attempts by like 99% for me
thanks for any support:)
 
It's unlikely that it can be a Dovecot problem.

It's a bit weird that you'd be seeing attempts from 192.168.2.X. Are they all from 192.168.2.33, or are some from other IP#s?

Does your system have any connections to 192.168.2.x (where x indicates any valid number)?

Are those login names actual usernames on your system (not virtual email addresses, but usernames or reseller names as set up by DirectAdmin)? Or on any other system on your network hosted at 192.168.2.x?

You might want to run the following as root to see if you're listening on any domains at 192.168.2.x):
Code:
ifconfig | grep 192.268.2
But likely these aren't the IP#s the logins are coming from; likely they're coming from the IP#s you've replaced with xxx.xxx.xxx.xxx. I'm not sure why you've done this as it makes it impossible for us to do much besides guess.

If these numbers change and they're not on your network, then a good firewall (I use CSF) could block them, as could DirectAdmin's brute force monitor if those real IP#s hit the default frequency before they change.

You could probably make changes to exim.conf to block such users, but if they don't exist, then you're already blocking them. I don't know how to keep them out of the logs.

Does anyone else?

Jeff
 
ok, first sorry for editing those ips with xxx.xxx.xxx.xxx
in reality they are from all over the world, as i said almost always never repeat themself
but they are always "spoofed" with 192.168.2.33 - thats a common thing for them, probably they origin from same botnet / some kind of infected computers with same trojan.

those user names they try to log in arent real, they are dictionary based

so in reality it looks like this:

2014-05-31 20:20:19 login authenticator failed for dug50.internetdsl.tpnet.pl ([192.168.2.33]) [83.19.218.50]: 535 Incorrect authentication data (set_id=lora)
2014-05-31 20:20:20 login authenticator failed for dug50.internetdsl.tpnet.pl ([192.168.2.33]) [83.19.218.50]: 535 Incorrect authentication data (set_id=lora)
2014-05-31 20:20:20 login authenticator failed for ([192.168.2.33]) [196.28.31.245]: 535 Incorrect authentication data (set_id=lora)
2014-05-31 20:20:20 login authenticator failed for dug50.internetdsl.tpnet.pl ([192.168.2.33]) [83.19.218.50]: 535 Incorrect authentication data (set_id=lora)
2014-05-31 20:20:20 login authenticator failed for dug50.internetdsl.tpnet.pl ([192.168.2.33]) [83.19.218.50]: 535 Incorrect authentication data (set_id=lora)
2014-05-31 20:20:20 login authenticator failed for dug50.internetdsl.tpnet.pl ([192.168.2.33]) [83.19.218.50]: 535 Incorrect authentication data (set_id=lora)
2014-05-31 20:20:20 login authenticator failed for ([192.168.2.33]) [196.28.31.245]: 535 Incorrect authentication data (set_id=lora)
2014-05-31 20:20:20 login authenticator failed for dug50.internetdsl.tpnet.pl ([192.168.2.33]) [83.19.218.50]: 535 Incorrect authentication data (set_id=lora)
2014-05-31 20:20:21 login authenticator failed for ([192.168.2.33]) [196.28.31.245]: 535 Incorrect authentication data (set_id=lora)
2014-05-31 20:20:21 login authenticator failed for ([192.168.2.33]) [196.28.31.245]: 535 Incorrect authentication data (set_id=lora)
2014-05-31 20:20:22 login authenticator failed for ([192.168.2.33]) [196.28.31.245]: 535 Incorrect authentication data (set_id=lora)
2014-05-31 20:20:22 login authenticator failed for ([192.168.2.33]) [196.28.31.245]: 535 Incorrect authentication data (set_id=lora)
2014-05-31 20:33:22 login authenticator failed for ([192.168.2.33]) [14.23.148.42]: 535 Incorrect authentication data (set_id=proxy)
2014-05-31 20:33:22 login authenticator failed for ([192.168.2.33]) [14.23.148.42]: 535 Incorrect authentication data (set_id=proxy)
2014-05-31 20:33:23 login authenticator failed for ([192.168.2.33]) [14.23.148.42]: 535 Incorrect authentication data (set_id=proxy)
2014-05-31 20:33:24 login authenticator failed for ([192.168.2.33]) [14.23.148.42]: 535 Incorrect authentication data (set_id=proxy)
2014-05-31 20:33:25 login authenticator failed for ([192.168.2.33]) [14.23.148.42]: 535 Incorrect authentication data (set_id=proxy)
2014-05-31 20:33:25 login authenticator failed for ([192.168.2.33]) [14.23.148.42]: 535 Incorrect authentication data (set_id=proxy)
2014-05-31 20:46:08 login authenticator failed for 178.red-2-138-31.dynamicip.rima-tde.net ([192.168.2.33]) [2.138.31.178]: 535 Incorrect authentication data (set_id=bill)
2014-05-31 20:46:09 login authenticator failed for 178.red-2-138-31.dynamicip.rima-tde.net ([192.168.2.33]) [2.138.31.178]: 535 Incorrect authentication data (set_id=bill)
2014-05-31 20:46:09 login authenticator failed for 178.red-2-138-31.dynamicip.rima-tde.net ([192.168.2.33]) [2.138.31.178]: 535 Incorrect authentication data (set_id=bill)
2014-05-31 20:46:09 login authenticator failed for 178.red-2-138-31.dynamicip.rima-tde.net ([192.168.2.33]) [2.138.31.178]: 535 Incorrect authentication data (set_id=bill)
2014-05-31 20:46:09 login authenticator failed for 178.red-2-138-31.dynamicip.rima-tde.net ([192.168.2.33]) [2.138.31.178]: 535 Incorrect authentication data (set_id=bill)
2014-05-31 21:35:19 login authenticator failed for 81-208-107-58.ip.fastwebnet.it ([192.168.2.33]) [81.208.107.58]: 535 Incorrect authentication data (set_id=jeff)
2014-05-31 21:35:19 login authenticator failed for 81-208-107-58.ip.fastwebnet.it ([192.168.2.33]) [81.208.107.58]: 535 Incorrect authentication data (set_id=jeff)
2014-05-31 21:35:19 login authenticator failed for 81-208-107-58.ip.fastwebnet.it ([192.168.2.33]) [81.208.107.58]: 535 Incorrect authentication data (set_id=jeff)
2014-05-31 21:35:20 login authenticator failed for 81-208-107-58.ip.fastwebnet.it ([192.168.2.33]) [81.208.107.58]: 535 Incorrect authentication data (set_id=jeff)
2014-05-31 21:35:20 login authenticator failed for 81-208-107-58.ip.fastwebnet.it ([192.168.2.33]) [81.208.107.58]: 535 Incorrect authentication data (set_id=jeff)
2014-05-31 21:35:20 login authenticator failed for 81-208-107-58.ip.fastwebnet.it ([192.168.2.33]) [81.208.107.58]: 535 Incorrect authentication data (set_id=jeff)
2014-05-31 21:48:32 login authenticator failed for 81-208-107-58.ip.fastwebnet.it ([192.168.2.33]) [81.208.107.58]: 535 Incorrect authentication data (set_id=manager)
2014-05-31 21:48:32 login authenticator failed for 81-208-107-58.ip.fastwebnet.it ([192.168.2.33]) [81.208.107.58]: 535 Incorrect authentication data (set_id=manager)
2014-05-31 21:48:32 login authenticator failed for 81-208-107-58.ip.fastwebnet.it ([192.168.2.33]) [81.208.107.58]: 535 Incorrect authentication data (set_id=manager)
2014-05-31 21:48:32 login authenticator failed for 81-208-107-58.ip.fastwebnet.it ([192.168.2.33]) [81.208.107.58]: 535 Incorrect authentication data (set_id=manager)
2014-05-31 21:48:32 login authenticator failed for 81-208-107-58.ip.fastwebnet.it ([192.168.2.33]) [81.208.107.58]: 535 Incorrect authentication data (set_id=manager)
2014-05-31 21:48:32 login authenticator failed for 81-208-107-58.ip.fastwebnet.it ([192.168.2.33]) [81.208.107.58]: 535 Incorrect authentication data (set_id=manager)

sometimes its 100 / day, sometimes 10000/day and more

and as i said solution for me would be something like -> if login isnt [email protected] -> silently discard them to /dev/null somehow
 
and as i said solution for me would be something like -> if login isnt [email protected] -> silently discard them to /dev/null somehow
I don't know how to do is not log that. Perhaps someone else will reply. Or you can ask on the exim-users mailing list.

(I don't think I'd ever add code to any copies of exim.conf I use or maintain, because that would make it impossible for firewalls to block these users, and because most of us do want to know what's going on with our servers.

Jeff
 
thanks for replies

btw, by "them" i didnt mean log messages, but login attempts:), so they arent processed and checked against users/passwords at all, but dropped at the very begining somehow.

btw directadmin is failing to pick up right ip from those logs, instead of getting real ip i get that 192.168.2.33 in brute force monitor:

...
A new message or response with subject:

Brute-Force Attack detected in service log from IP(s) 192.168.2.33

has arrived for you to view.
Follow this link to view it:
...
 
Have you verified that you don't have any 192.168.2.x IP#s on your network (I explained above how to do that by looking at the output of ifconfig.

If Directadmin's bruge-force monitor is really blocking the wrong IP#s that can be entered as a bug, but only if you're sure the emails aren't really coming through an interface from 192.168.2.x.

As far as changing the system to not even check usernames with only a local-part against users in /etc/passwd before refusing them, that could break some important functionality in posix-compliant servers (BSD and Linux servers follow, to a greater or lesser extent, posix standards). So I don't think that could ever be a standard part of exim.conf.

Jeff
 
yes, i verified, i have only public ip and loopback (127.0.0.1)

those ips are for sure not local becouse they are banned, just that brute force monitor pick up wrong ip.
random ip picked up from logs:

2014-05-31 16:05:08 login authenticator failed for bband-dyn50.178-41-179.t-com.sk ([192.168.2.33]) [178.41.179.50]: 535 Incorrect authentication data (set_id=grey)
2014-05-31 16:05:09 login authenticator failed for bband-dyn50.178-41-179.t-com.sk ([192.168.2.33]) [178.41.179.50]: 535 Incorrect authentication data (set_id=grey)
2014-05-31 16:05:09 login authenticator failed for bband-dyn50.178-41-179.t-com.sk ([192.168.2.33]) [178.41.179.50]: 535 Incorrect authentication data (set_id=grey)
2014-05-31 16:05:09 login authenticator failed for bband-dyn50.178-41-179.t-com.sk ([192.168.2.33]) [178.41.179.50]: 535 Incorrect authentication data (set_id=grey)
2014-05-31 16:05:09 login authenticator failed for bband-dyn50.178-41-179.t-com.sk ([192.168.2.33]) [178.41.179.50]: 535 Incorrect authentication data (set_id=grey)
2014-05-31 16:16:55 login authenticator failed for bband-dyn50.178-41-179.t-com.sk ([192.168.2.33]) [178.41.179.50]: 535 Incorrect authentication data (set_id=holly)
2014-05-31 16:16:56 login authenticator failed for bband-dyn50.178-41-179.t-com.sk ([192.168.2.33]) [178.41.179.50]: 535 Incorrect authentication data (set_id=holly)
2014-05-31 16:16:56 login authenticator failed for bband-dyn50.178-41-179.t-com.sk ([192.168.2.33]) [178.41.179.50]: 535 Incorrect authentication data (set_id=holly)
2014-05-31 16:16:56 login authenticator failed for bband-dyn50.178-41-179.t-com.sk ([192.168.2.33]) [178.41.179.50]: 535 Incorrect authentication data (set_id=holly)
2014-05-31 16:16:56 login authenticator failed for bband-dyn50.178-41-179.t-com.sk ([192.168.2.33]) [178.41.179.50]: 535 Incorrect authentication data (set_id=holly)

[root@server ~]# iptables -nL -v -x | grep 178.41.179.50
3 144 DROP all -- * * 178.41.179.50 0.0.0.0/0
 
Hello,

Thanks for the report.

1) Can you confirm you're using the latest version of DA? 1.45.2

2) Check the fitler file:
Code:
/usr/local/directadmin/data/templates/brute_filter.list
where we'd want to see something like this, which is the latest version:
Code:
#exim1=ip_after=]) [&ip_until=]&text=login authenticator failed for&user_after=(set_id%3D&user_until=)
exim1=ip_after=]) [&ip_until=]&text=535 Incorrect authentication data&user_after=(set_id%3D&user_until=)
#exim2=ip_after=[&ip_until=]&text=login authenticator failed for&user_after=(set_id%3D&user_until=)
exim2=ip_after=[&ip_until=]&text=535 Incorrect authentication data&user_after=(set_id%3D&user_until=)
#exim3=ip_after=]) [&ip_until=]&text=plain authenticator failed for&user_after=(set_id%3D&user_until=)
exim3=ip_after=]) [&ip_until=]&text=535 Incorrect authentication data&user_after=(set_id%3D&user_until=)
#exim4=ip_after=[&ip_until=]&text=plain authenticator failed for&user_after=(set_id%3D&user_until=)
exim4=ip_after=[&ip_until=]&text=535 Incorrect authentication data&user_after=(set_id%3D&user_until=)


Rule exim1 should be finding it because of this bit:
Code:
ip_after=]) [
hence my only guess is your don't have the updated filter file.


This was the change:
http://www.directadmin.com/features.php?id=1303

I'll get rid of the # comments for the next release, to clean it up.

John
 
Thanks for info, i wasnt running latest DA, but im now and that ip recognition is fixed.
 
Back
Top