PDA

View Full Version : Dovecot or Exim problem vs 192.168.2.33



Silvestris
05-30-2014, 04:14 PM
Hi, im using directadmin for some time, but its first time i cant find answer to my problem just by using this forum and google :(
and here it is:
for some time im hammered by logins with spoofed ip (192.168.2.33) from random ip's, they login for 3-8 times and almost never again, then some other ip takes over, and daily it goes in thousends...
now - they always use user name without domain, like:
login authenticator failed for ([192.168.2.33]) [xxx.xxx.xxx.xxx]: 535 Incorrect authentication data (set_id=consultant)
login authenticator failed for ([192.168.2.33]) [xxx.xxx.xxx.xxx]: 535 Incorrect authentication data (set_id=jobs)
login authenticator failed for ([192.168.2.33]) [xxx.xxx.xxx.xxx]: 535 Incorrect authentication data (set_id=alan)
and etc... almost always diffrent real ip and diffrent id

now my problem/question:

can i drop somehow silently all users without domain?
im only using logins like: admin@domain.com, user@domain.com, so ALL only users are invalid for me
or, dont log those attempts at all, so i wont get emails about abuse from them (as i said, no user without domain is valid for my system)
or, ban them somehow right after first attempt if no domain is specified (worst case, sometimes real users are trying to login without domain when they reinstall client and forget to use one)

doing that would drop illegal login attempts by like 99% for me
thanks for any support:)

nobaloney
05-31-2014, 01:18 PM
It's unlikely that it can be a Dovecot problem.

It's a bit weird that you'd be seeing attempts from 192.168.2.X. Are they all from 192.168.2.33, or are some from other IP#s?

Does your system have any connections to 192.168.2.x (where x indicates any valid number)?

Are those login names actual usernames on your system (not virtual email addresses, but usernames or reseller names as set up by DirectAdmin)? Or on any other system on your network hosted at 192.168.2.x?

You might want to run the following as root to see if you're listening on any domains at 192.168.2.x):

ifconfig | grep 192.268.2
But likely these aren't the IP#s the logins are coming from; likely they're coming from the IP#s you've replaced with xxx.xxx.xxx.xxx. I'm not sure why you've done this as it makes it impossible for us to do much besides guess.

If these numbers change and they're not on your network, then a good firewall (I use CSF) could block them, as could DirectAdmin's brute force monitor if those real IP#s hit the default frequency before they change.

You could probably make changes to exim.conf to block such users, but if they don't exist, then you're already blocking them. I don't know how to keep them out of the logs.

Does anyone else?

Jeff

Silvestris
05-31-2014, 02:07 PM
ok, first sorry for editing those ips with xxx.xxx.xxx.xxx
in reality they are from all over the world, as i said almost always never repeat themself
but they are always "spoofed" with 192.168.2.33 - thats a common thing for them, probably they origin from same botnet / some kind of infected computers with same trojan.

those user names they try to log in arent real, they are dictionary based

so in reality it looks like this:

2014-05-31 20:20:19 login authenticator failed for dug50.internetdsl.tpnet.pl ([192.168.2.33]) [83.19.218.50]: 535 Incorrect authentication data (set_id=lora)
2014-05-31 20:20:20 login authenticator failed for dug50.internetdsl.tpnet.pl ([192.168.2.33]) [83.19.218.50]: 535 Incorrect authentication data (set_id=lora)
2014-05-31 20:20:20 login authenticator failed for ([192.168.2.33]) [196.28.31.245]: 535 Incorrect authentication data (set_id=lora)
2014-05-31 20:20:20 login authenticator failed for dug50.internetdsl.tpnet.pl ([192.168.2.33]) [83.19.218.50]: 535 Incorrect authentication data (set_id=lora)
2014-05-31 20:20:20 login authenticator failed for dug50.internetdsl.tpnet.pl ([192.168.2.33]) [83.19.218.50]: 535 Incorrect authentication data (set_id=lora)
2014-05-31 20:20:20 login authenticator failed for dug50.internetdsl.tpnet.pl ([192.168.2.33]) [83.19.218.50]: 535 Incorrect authentication data (set_id=lora)
2014-05-31 20:20:20 login authenticator failed for ([192.168.2.33]) [196.28.31.245]: 535 Incorrect authentication data (set_id=lora)
2014-05-31 20:20:20 login authenticator failed for dug50.internetdsl.tpnet.pl ([192.168.2.33]) [83.19.218.50]: 535 Incorrect authentication data (set_id=lora)
2014-05-31 20:20:21 login authenticator failed for ([192.168.2.33]) [196.28.31.245]: 535 Incorrect authentication data (set_id=lora)
2014-05-31 20:20:21 login authenticator failed for ([192.168.2.33]) [196.28.31.245]: 535 Incorrect authentication data (set_id=lora)
2014-05-31 20:20:22 login authenticator failed for ([192.168.2.33]) [196.28.31.245]: 535 Incorrect authentication data (set_id=lora)
2014-05-31 20:20:22 login authenticator failed for ([192.168.2.33]) [196.28.31.245]: 535 Incorrect authentication data (set_id=lora)
2014-05-31 20:33:22 login authenticator failed for ([192.168.2.33]) [14.23.148.42]: 535 Incorrect authentication data (set_id=proxy)
2014-05-31 20:33:22 login authenticator failed for ([192.168.2.33]) [14.23.148.42]: 535 Incorrect authentication data (set_id=proxy)
2014-05-31 20:33:23 login authenticator failed for ([192.168.2.33]) [14.23.148.42]: 535 Incorrect authentication data (set_id=proxy)
2014-05-31 20:33:24 login authenticator failed for ([192.168.2.33]) [14.23.148.42]: 535 Incorrect authentication data (set_id=proxy)
2014-05-31 20:33:25 login authenticator failed for ([192.168.2.33]) [14.23.148.42]: 535 Incorrect authentication data (set_id=proxy)
2014-05-31 20:33:25 login authenticator failed for ([192.168.2.33]) [14.23.148.42]: 535 Incorrect authentication data (set_id=proxy)
2014-05-31 20:46:08 login authenticator failed for 178.red-2-138-31.dynamicip.rima-tde.net ([192.168.2.33]) [2.138.31.178]: 535 Incorrect authentication data (set_id=bill)
2014-05-31 20:46:09 login authenticator failed for 178.red-2-138-31.dynamicip.rima-tde.net ([192.168.2.33]) [2.138.31.178]: 535 Incorrect authentication data (set_id=bill)
2014-05-31 20:46:09 login authenticator failed for 178.red-2-138-31.dynamicip.rima-tde.net ([192.168.2.33]) [2.138.31.178]: 535 Incorrect authentication data (set_id=bill)
2014-05-31 20:46:09 login authenticator failed for 178.red-2-138-31.dynamicip.rima-tde.net ([192.168.2.33]) [2.138.31.178]: 535 Incorrect authentication data (set_id=bill)
2014-05-31 20:46:09 login authenticator failed for 178.red-2-138-31.dynamicip.rima-tde.net ([192.168.2.33]) [2.138.31.178]: 535 Incorrect authentication data (set_id=bill)
2014-05-31 21:35:19 login authenticator failed for 81-208-107-58.ip.fastwebnet.it ([192.168.2.33]) [81.208.107.58]: 535 Incorrect authentication data (set_id=jeff)
2014-05-31 21:35:19 login authenticator failed for 81-208-107-58.ip.fastwebnet.it ([192.168.2.33]) [81.208.107.58]: 535 Incorrect authentication data (set_id=jeff)
2014-05-31 21:35:19 login authenticator failed for 81-208-107-58.ip.fastwebnet.it ([192.168.2.33]) [81.208.107.58]: 535 Incorrect authentication data (set_id=jeff)
2014-05-31 21:35:20 login authenticator failed for 81-208-107-58.ip.fastwebnet.it ([192.168.2.33]) [81.208.107.58]: 535 Incorrect authentication data (set_id=jeff)
2014-05-31 21:35:20 login authenticator failed for 81-208-107-58.ip.fastwebnet.it ([192.168.2.33]) [81.208.107.58]: 535 Incorrect authentication data (set_id=jeff)
2014-05-31 21:35:20 login authenticator failed for 81-208-107-58.ip.fastwebnet.it ([192.168.2.33]) [81.208.107.58]: 535 Incorrect authentication data (set_id=jeff)
2014-05-31 21:48:32 login authenticator failed for 81-208-107-58.ip.fastwebnet.it ([192.168.2.33]) [81.208.107.58]: 535 Incorrect authentication data (set_id=manager)
2014-05-31 21:48:32 login authenticator failed for 81-208-107-58.ip.fastwebnet.it ([192.168.2.33]) [81.208.107.58]: 535 Incorrect authentication data (set_id=manager)
2014-05-31 21:48:32 login authenticator failed for 81-208-107-58.ip.fastwebnet.it ([192.168.2.33]) [81.208.107.58]: 535 Incorrect authentication data (set_id=manager)
2014-05-31 21:48:32 login authenticator failed for 81-208-107-58.ip.fastwebnet.it ([192.168.2.33]) [81.208.107.58]: 535 Incorrect authentication data (set_id=manager)
2014-05-31 21:48:32 login authenticator failed for 81-208-107-58.ip.fastwebnet.it ([192.168.2.33]) [81.208.107.58]: 535 Incorrect authentication data (set_id=manager)
2014-05-31 21:48:32 login authenticator failed for 81-208-107-58.ip.fastwebnet.it ([192.168.2.33]) [81.208.107.58]: 535 Incorrect authentication data (set_id=manager)

sometimes its 100 / day, sometimes 10000/day and more

and as i said solution for me would be something like -> if login isnt user@somedomain.com -> silently discard them to /dev/null somehow

nobaloney
05-31-2014, 02:25 PM
and as i said solution for me would be something like -> if login isnt user@somedomain.com -> silently discard them to /dev/null somehow
I don't know how to do is not log that. Perhaps someone else will reply. Or you can ask on the exim-users mailing list.

(I don't think I'd ever add code to any copies of exim.conf I use or maintain, because that would make it impossible for firewalls to block these users, and because most of us do want to know what's going on with our servers.

Jeff

Silvestris
05-31-2014, 02:37 PM
thanks for replies

btw, by "them" i didnt mean log messages, but login attempts:), so they arent processed and checked against users/passwords at all, but dropped at the very begining somehow.

btw directadmin is failing to pick up right ip from those logs, instead of getting real ip i get that 192.168.2.33 in brute force monitor:

...
A new message or response with subject:

Brute-Force Attack detected in service log from IP(s) 192.168.2.33

has arrived for you to view.
Follow this link to view it:
...

nobaloney
05-31-2014, 02:52 PM
Have you verified that you don't have any 192.168.2.x IP#s on your network (I explained above how to do that by looking at the output of ifconfig.

If Directadmin's bruge-force monitor is really blocking the wrong IP#s that can be entered as a bug, but only if you're sure the emails aren't really coming through an interface from 192.168.2.x.

As far as changing the system to not even check usernames with only a local-part against users in /etc/passwd before refusing them, that could break some important functionality in posix-compliant servers (BSD and Linux servers follow, to a greater or lesser extent, posix standards). So I don't think that could ever be a standard part of exim.conf.

Jeff

Silvestris
05-31-2014, 03:32 PM
yes, i verified, i have only public ip and loopback (127.0.0.1)

those ips are for sure not local becouse they are banned, just that brute force monitor pick up wrong ip.
random ip picked up from logs:

2014-05-31 16:05:08 login authenticator failed for bband-dyn50.178-41-179.t-com.sk ([192.168.2.33]) [178.41.179.50]: 535 Incorrect authentication data (set_id=grey)
2014-05-31 16:05:09 login authenticator failed for bband-dyn50.178-41-179.t-com.sk ([192.168.2.33]) [178.41.179.50]: 535 Incorrect authentication data (set_id=grey)
2014-05-31 16:05:09 login authenticator failed for bband-dyn50.178-41-179.t-com.sk ([192.168.2.33]) [178.41.179.50]: 535 Incorrect authentication data (set_id=grey)
2014-05-31 16:05:09 login authenticator failed for bband-dyn50.178-41-179.t-com.sk ([192.168.2.33]) [178.41.179.50]: 535 Incorrect authentication data (set_id=grey)
2014-05-31 16:05:09 login authenticator failed for bband-dyn50.178-41-179.t-com.sk ([192.168.2.33]) [178.41.179.50]: 535 Incorrect authentication data (set_id=grey)
2014-05-31 16:16:55 login authenticator failed for bband-dyn50.178-41-179.t-com.sk ([192.168.2.33]) [178.41.179.50]: 535 Incorrect authentication data (set_id=holly)
2014-05-31 16:16:56 login authenticator failed for bband-dyn50.178-41-179.t-com.sk ([192.168.2.33]) [178.41.179.50]: 535 Incorrect authentication data (set_id=holly)
2014-05-31 16:16:56 login authenticator failed for bband-dyn50.178-41-179.t-com.sk ([192.168.2.33]) [178.41.179.50]: 535 Incorrect authentication data (set_id=holly)
2014-05-31 16:16:56 login authenticator failed for bband-dyn50.178-41-179.t-com.sk ([192.168.2.33]) [178.41.179.50]: 535 Incorrect authentication data (set_id=holly)
2014-05-31 16:16:56 login authenticator failed for bband-dyn50.178-41-179.t-com.sk ([192.168.2.33]) [178.41.179.50]: 535 Incorrect authentication data (set_id=holly)

[root@server ~]# iptables -nL -v -x | grep 178.41.179.50
3 144 DROP all -- * * 178.41.179.50 0.0.0.0/0

DirectAdmin Support
05-31-2014, 05:49 PM
Hello,

Thanks for the report.

1) Can you confirm you're using the latest version of DA? 1.45.2

2) Check the fitler file:
/usr/local/directadmin/data/templates/brute_filter.listwhere we'd want to see something like this, which is the latest version:
#exim1=ip_after=]) [&ip_until=]&text=login authenticator failed for&user_after=(set_id%3D&user_until=)
exim1=ip_after=]) [&ip_until=]&text=535 Incorrect authentication data&user_after=(set_id%3D&user_until=)
#exim2=ip_after=[&ip_until=]&text=login authenticator failed for&user_after=(set_id%3D&user_until=)
exim2=ip_after=[&ip_until=]&text=535 Incorrect authentication data&user_after=(set_id%3D&user_until=)
#exim3=ip_after=]) [&ip_until=]&text=plain authenticator failed for&user_after=(set_id%3D&user_until=)
exim3=ip_after=]) [&ip_until=]&text=535 Incorrect authentication data&user_after=(set_id%3D&user_until=)
#exim4=ip_after=[&ip_until=]&text=plain authenticator failed for&user_after=(set_id%3D&user_until=)
exim4=ip_after=[&ip_until=]&text=535 Incorrect authentication data&user_after=(set_id%3D&user_until=)


Rule exim1 should be finding it because of this bit:
ip_after=]) [hence my only guess is your don't have the updated filter file.


This was the change:
http://www.directadmin.com/features.php?id=1303

I'll get rid of the # comments for the next release, to clean it up.

John

Silvestris
06-01-2014, 03:52 AM
Thanks for info, i wasnt running latest DA, but im now and that ip recognition is fixed.