Bruteforce from 127.0.0.1 with Dovecot / imap.

[Richard G]

If found several 127.0.0.1 stuff, but not this one.

Lately if regularly get these messages:
Brute-Force Attack detected in service log from IP(s) 127.0.0.1

So I'm going to look in the brute force monitor and it says this:

dovecot1 Feb 16 16:28:39 server dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

There are a couple of domain names there. Not may however.

I have even seen this from suspended domains.
Somewhere I read maybe somebody is bruteforcing webmail, but there is nothing showing up in the apache logs. Or at least I don't see anything which resembles this in the access or error log.

 

[zEitEr]

Is there any logical interval between tries? What if it's a script which by cron tries to connect to IMAP server from a suspended account?

 

[Richard G]

There is no logical interval and we only have 2 suspended accounts on our server. The problem also occurs with non-suspended accounts.

Maybe if there were some dovecot log, one could see where the login attempts were coming from.

 

[Richard G]

I'm having the same issue again:

Apr 11 19:34:44 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

21 of these bruteforces on several different email addresses (belonging to different accuonts). Most tries were on the main domain from the admin and he's sure it wasn't him.

Is there a way to activate a dovecot logfile with directadmin?
Because I don't know where to look otherwises. Maillog isn't showing anything.

 

[zEitEr]

Is there a way to activate a dovecot logfile with directadmin?

No, you should manually enable debugging in /etc/dovecot.conf

Read this
http://wiki2.dovecot.org/Logging
http://wiki2.dovecot.org/Debugging/Authentication

 

[unihostbrasil]

Perhaps the access is through your webmail. As it is on the same machine, the local IP (127.0.0.1) is logged.

If you use Roundcube, check for "Login failed for..." occurrences in /var/www/html/roundcube/logs/errors

 

[Richard G]

This happend around 2 months ago, but when it will occur again I will try your tip and look in the Roundcube logs if anything can be found.
Thanks for the tip!

 

[lonerunner]

Sorry for hijacking your thread but i have same problem as you. Too many Brute force attacks from 127.0.0.1 . When i look at brute force page i see

dovecot1 May 4 12:51:28 hosting dovecot[5451]: imap-login: Disconnected (auth failed, 1 attempts): method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

Every attempt is happened only 1 time on different email address in different times. And now i currently have over 3000 failed login attempts.

Im looking at /var/www/html/roundcube/logs/errors as unihostbrasil said but i can see only this

IMAP Error: Authentication for bibi failed (LOGIN): a001 NO [AUTHENTICATIONFAILED] Authentication failed. in /rcube_imap.php on line 143 (POST /webmail/?_task=&_action=login)

It's same error on every line just different email accounts.

 

[Richard G]

I don't mind you hijacking my thread if you have exact the same problem, especially if it could lead to a solution/fix.
So I hope somebody might see how to get an ip address to ban of the people doing these kind of attacks.

 

[zEitEr]

Every attempt is happened only 1 time on different email address in different times. And now i currently have over 3000 failed login attempts.

Im looking at /var/www/html/roundcube/logs/errors as unihostbrasil said but i can see only this




It's same error on every line just different email accounts.

So if you're sure that attacks come from roundcube then I'd say you need to check Apache logs located in /var/log/httpd/ and see from what IPs you have the highest number of POST requests to a login/index page. Then you can block the IP with your firewall.

An you might want to install a plugin for Roundcube to enable captcha, see http://trac.roundcube.net/wiki/Plugin_Repository#ImprovedSecurity

In case you install a plugin you should take care to protect your modification from being overwritten on roundcube update, see this http://help.directadmin.com/item.php?id=365

 

[lonerunner]

I didn't noticed earlier but i think it was not like this. When i went to see logs in apache now, logs are empty, same logs use directadmin in log viewer and same are empty. Is this normal but i didn't noticed, or something happened and logs are not writing anymore? In /var/log/httpd i have access_log 5 files suexec_log 5 files and error_log 5 files. access and suexec logs are all empty. There is directory "domains" where inside are logs for every domain specific and they have info inside. So is normal by default logs to be empty ?

 

[zEitEr]

If all apache logs are empty long after logrotation that is it not normal unless it is what you wanted to get.

 

[lonerunner]

If all apache logs are empty long after logrotation that is it not normal unless it is what you wanted to get.

I didn't mess with logs and apache, and all logrotation files are empty. Im looking at older logs from backup and they are all empty. from backup 2 months old and from backup 6 months old. Other logs are ok, just access_log and suexec_log are empty. How i can turn them on, and see for couple of days what will be written in logs.

 

[zEitEr]

Normally logrotation of apache logs is done by Directadmin. Note, if you access roundcube/phpmyadmin/etc from a domain name, you should read the logs for that virtual host: eg. http://domain.com/roundcube/

And if you access roundcube/phpmyadmin/etc from an IP, like http://1.2.3.4/roundcube/ then you should refer to those logs which are located directly in /var/log/httpd/

So try to access your server by IP and see if the logs get filled.

 

[lonerunner]

Normally logrotation of apache logs is done by Directadmin. Note, if you access roundcube/phpmyadmin/etc from a domain name, you should read the logs for that virtual host: eg. http://domain.com/roundcube/

And if you access roundcube/phpmyadmin/etc from an IP, like http://1.2.3.4/roundcube/ then you should refer to those logs which are located directly in /var/log/httpd/

So try to access your server by IP and see if the logs get filled.

I can access through any domain and with ip of server. I know that i have added one redirection so i can access through ip or any domain /webmail , or /roundcube. I tried to do some failed logins through ip access and through various domains. but still logs are not writing for access.
I have also looked into httpd.conf file and i have this set.

ErrorLog /var/log/httpd/error_log
LogLevel warn

<IfModule log_config_module>
#replace %b with %O for more accurate logging
<IfModule mod_logio.c>
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%O %I" bytes

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>

CustomLog /var/log/httpd/access_log common
</IfModule>

I didn't mess anything in this lines.

 

[unihostbrasil]

Check if you are using the latest RoundCube version because it logs (/var/www/html/roundcubemail/logs/errors) the user IP from failed logins since version 0.5:

[09-May-2012 11:09:06 -0300]: IMAP Error: Login failed for [email protected] [B]from 111.111.111.111[/B]. AUTHENTICATE PLAIN: Authentication failed. ...

 

[zEitEr]

I didn't mess anything in this lines.

What you see if you run this:

apachectl -t -D DUMP_MODULES | grep logio

? As the other logs are OK, then you see something like this:

logio_module (static)

Then try to open http://SERVER_IP/random_here/ and check the log. It seems it contains only records to SERVER_IP (neither SHARED_IP, nor PRIVATE_IP). And make sure you aren't using frontend + backend scheme of organizing WEB service.

 

[lonerunner]

Check if you are using the latest RoundCube version because it logs (/var/www/html/roundcubemail/logs/errors) the user IP from failed logins since version 0.5:

[09-May-2012 11:09:06 -0300]: IMAP Error: Login failed for [email protected] [B]from 111.111.111.111[/B]. AUTHENTICATE PLAIN: Authentication failed. ...

I use version 0.4.2 it also have logs where you said, but this doesn't mean anything to me because in logs i see failed login on user from 127.0.0.1. what i need is to find out from where are those 127.0.0.1 attacks

What you see if you run this:

apachectl -t -D DUMP_MODULES | grep logio

? As the other logs are OK, then you see something like this:



Then try to open http://SERVER_IP/random_here/ and check the log. It seems it contains only records to SERVER_IP (neither SHARED_IP, nor PRIVATE_IP). And make sure you aren't using frontend + backend scheme of organizing WEB service.

When i run command i see

logio_module (static)
Syntax OK

If you mean that i need dedicated ip that i dont use for anything on server, than i don't have one. I have 2 ip's on server and both are used for dns recordrs. Although first ip is marked as server ip in directadmin control panel, its also marked as shared ip.

 

[unihostbrasil]

I use version 0.4.2 it also have logs where you said, but this doesn't mean anything to me because in logs i see failed login on user from 127.0.0.1. what i need is to find out from where are those 127.0.0.1 attacks

As I've said, you must use at least the version 0.5. The version 0.4.2 have security bugs and don't log the user IP. This functionality was included in v0.5:
http://trac.roundcube.net/ticket/1487626

 

[lonerunner]

As I've said, you must use at least the version 0.5. The version 0.4.2 have security bugs and don't log the user IP. This functionality was included in v0.5:
http://trac.roundcube.net/ticket/1487626

wait wait, it will log user IP even if brute force attacks come from 127.0.0.1, 127.0.0.1 is localhost, so this looks like attack from server it self, from some website or user account, how it will log user ip when user is server, thats why brute force attacks are from 127.0.0.1 ip. or im missing something here or dont understand ?