BFM & Dovecot: Disconnected no auth attempts

[zEitEr]

Hello,

We are facing a strange issue with BFM & Dovecot. An IP of a customer got blocked, during the investigation we did not find any attempts to login with a wrong password, but we see a lot of similar messages on BFM page in directadmin:

pop3-login: Disconnected (no auth attempts in 110 secs): user=<>, rip=195.bb2.cc.69, lip=195.bb.cc.19, TLS: SSL_read() syscall failed: Connection timed out, session=<1V0sh2XJRQDDUp1F>

 pop3-login: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=195.bb.cc.69, lip=195.bb.cc.19, session=<Koa1DmPJUQDDUp1F>

and so on:

Aborted login (auth failed, 1 attempts in 2 secs): 
Disconnected (no auth attempts in 0 secs):
Aborted login (no auth attempts in 0 secs):

And here (http://wiki.dovecot.org/WhyDoesItNotWork) we can find some explanation:

Aborted login (no auth attempts) means that the client isn't even attempting to log in. Most likely you have disable_plaintext_auth=yes (default) and the client isn't configured to use SSL/TLS (or you've also set ssl=no).

So it seams we are facing an issue with SSL/TLS, but not a hacking attempt, but it seems Directadmin counts such messages and blocks the IP. Please check whether directadmin really blocks IP in such a case, and I'd really like you to review this policy and maybe ignore such lines.

 

[nobaloney]

It may or may not be a hacking attempt, but if someone repeatedly tries to login using an unsupported protocol, what would you call it? My guess is that if someone is trying over and over again to log in to your server using an unsupported protocol, they're probably trying to get in, and not succeeding.

And even if not, even if it's your user, wouldn't you want to know about it?

Jeff

 

[zEitEr]

I was not successful in recreating the situation and I did not manage to make those lines appear with my IP, so I'm not really sure, why these messages appear. In this case I can only rely on what is written on wiki.dovecot.org is the the only real reason. Unless there is a vulnerability in dovecot and somebody tries to use it.

But still it said, if Dovecot is allowed to accept only SSL/TLS, why should we block a user if he/she tries to login using an encrypted connection?

 

[nobaloney]

But still it said, if Dovecot is allowed to accept only SSL/TLS, why should we block a user if he/she tries to login using an encrypted connection?

Possibly because he's someone trying to get in to your server? A bad guy, who you should want to block in case he tries some other method? Or possibly because he's a client of yours and will leave without notice or paying if he can't get his email?

Note, Alex, that I'm not trying to tell you how to run your business; I'm only answering the question .

Jeff

 

[zEitEr]

OK, this must be an invalid login:

Aborted login (auth failed, 1 attempts in 2 secs):

Today's log contains only 3 such records.

But, in logs I see more records with

Aborted login (no auth attempts

and all of them are made with a TLS:

Sep 14 13:18:54 server dovecot: pop3-login: Aborted login (no auth attempts in 2 secs): user=<>, rip=33.33.33.33, lip=22.22.22.22, TLS, session=<6mn7ZaPJpgAuMGYh>
Sep 14 13:28:54 server dovecot: pop3-login: Aborted login (no auth attempts in 2 secs): user=<>, rip=33.33.33.33, lip=22.22.22.22, TLS, session=<1vW0iaPJtQAuMGYh>

OK, I've tested, I added a POP3 account into my mail program, and disable plain password authentication in this settings (but on server I still got plain text authentication enabled), and this is translated with Google error message, which my program gave me:

We could not send or receive messages for the account server.domain.com (admin). Program, Windows Live Mail could not log on to the server using Secure Password Authentication. Refer to the email service provider and make sure that it supports secure password authentication. To change this entry in the folder list, click the name of the account, right-click, and then click "Properties" from the context menu. In the menu "Properties", click the "Server" tab, and then in the "Incoming Mail Server" select input.

The server responded:.
Server: 'server.domain.com'
Error code of the program Mail Windows Live: 0x800CCC18
Protocol: POP3
Port: 110
Protection (SSL): No

And on server in logs I see:

Sep 14 14:20:17 server dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=11.11.11.11, lip=22.22.22.22, session=<oll6QaTJ5gDDPjQC>

The same if I try to connect to dovecot on 110 port with enabled in mail program SSL.

I'm not sure, that this particular case is good to treat as a brute force attack. What do I miss?

Please, anybody who has anything else to say, don't hesitate to do it.

 

[Hirudo]

OK, this must be an invalid login:

Aborted login (auth failed, 1 attempts in 2 secs):

Today's log contains only 3 such records.

But, in logs I see more records with

Aborted login (no auth attempts

and all of them are made with a TLS:

Sep 14 13:18:54 server dovecot: pop3-login: Aborted login (no auth attempts in 2 secs): user=<>, rip=33.33.33.33, lip=22.22.22.22, TLS, session=<6mn7ZaPJpgAuMGYh>
Sep 14 13:28:54 server dovecot: pop3-login: Aborted login (no auth attempts in 2 secs): user=<>, rip=33.33.33.33, lip=22.22.22.22, TLS, session=<1vW0iaPJtQAuMGYh>

Please, anybody who has anything else to say, don't hesitate to do it.

I've had the same messages the past couple of days, and tracked it down to the fact that I updated the SSL cert for dovecot. Since my cert is self-signed, most clients will require you to manually accept it at least once, and will bail out after the SSL negotiation but before the auth stage otherwise.

In my specific client (K-9 mail on android) I had to explicitly go through the account settings again to make it show me the "invalid certificate" warning; getting mail would just fail silently with the "no auth attempts" message logged on the server.

 

[zEitEr]

OK, that might be the reason, anyway, that's very near to my situation. Yes, I've checked it with SSL. I'm not even sure, what the cert is installed there for exim and dovecot, but the last modified date goes back into 2010 year. And if i don't accept cert in my mail program it give the error:

Sep 14 22:17:52 shared1 dovecot: pop3-login: Disconnected (no auth attempts in 5 secs): user=<>, rip=11.11.11.11, lip=22.22.22.22, TLS: SSL_read() syscall failed: Connection reset by peer, session=<FNx47arJ4gBtrj4Z>

So again we have here

Disconnected (no auth attempts

And what if for a moment we try to imagine a situation when a valid cert expired and a mail program still tries to connect to a server... and if we multiply these tries on a quantity of computers in a small organization, where all workers connect to internet through a single router which has one external IP. If one single user checks email once per 5 minute, we've got 12 tries per hour from him, for organization of 10 employees it would be 120 tries per hour, and the IP gets blocked within one hour. Then an administrator of the organization should check what happens and contact with us.... it takes time. Of course it would be our fault not to keep the cert updated... but nevertheless I really think brute force policy should be reviewed.

 

[zEitEr]

With ProFTPd we've got also wrong counting, when having MaxLoginAttempts set to 1:

        #
        # The MaxLoginAttempts directive configures the maximum number of times a client may
        # attempt to authenticate to the server during a given connection. After the number
        # of attempts exceeds this value, the user is disconnected and an appropriate message
        # is logged via the syslog mechanism.
        MaxLoginAttempts        1

Here you can see:

13488505810000	61.bb.cc.231	user1	1	proftpd1	Sep 26 01:43:46 da proftpd[11894]: 109.bbb.ccc.ddd (61.bb.cc.231[61.bb.cc.231]) - USER user1: no such user found from 61.bb.cc.231 [61.bb.cc.231] to 109.bbb.ccc.ddd:21 
13488505810001	61.bb.cc.231		1	proftpd3	Sep 26 01:43:46 da proftpd[11894]: 109.bbb.ccc.ddd (61.bb.cc.231[61.bb.cc.231]) - Maximum login attempts (1) exceeded, connection refused 
13488505810002	61.bb.cc.231	user1	1	proftpd1	Sep 26 01:44:27 da proftpd[13556]: 109.bbb.ccc.ddd (61.bb.cc.231[61.bb.cc.231]) - USER user1: no such user found from 61.bb.cc.231 [61.bb.cc.231] to 109.bbb.ccc.ddd:21 
13488505810003	61.bb.cc.231		1	proftpd3	Sep 26 01:44:27 da proftpd[13556]: 109.bbb.ccc.ddd (61.bb.cc.231[61.bb.cc.231]) - Maximum login attempts (1) exceeded, connection refused 
13488505820030	61.bb.cc.231	user1	1	proftpd1	Sep 27 14:17:47 da proftpd[20007]: 109.bbb.ccc.ddd (61.bb.cc.231[61.bb.cc.231]) - USER user1: no such user found from 61.bb.cc.231 [61.bb.cc.231] to 109.bbb.ccc.ddd:21 
13488505820031	61.bb.cc.231		1	proftpd3	Sep 27 14:17:47 da proftpd[20007]: 109.bbb.ccc.ddd (61.bb.cc.231[61.bb.cc.231]) - Maximum login attempts (1) exceeded, connection refused 
13488505820032	61.bb.cc.231	user1	1	proftpd1	Sep 28 04:12:10 da proftpd[20411]: 109.bbb.ccc.ddd (61.bb.cc.231[61.bb.cc.231]) - USER user1: no such user found from 61.bb.cc.231 [61.bb.cc.231] to 109.bbb.ccc.ddd:21 
13488505820033	61.bb.cc.231		1	proftpd3	Sep 28 04:12:10 da proftpd[20411]: 109.bbb.ccc.ddd (61.bb.cc.231[61.bb.cc.231]) - Maximum login attempts (1) exceeded, connection refused 
13488505820034	61.bb.cc.231	user1	1	proftpd1	Sep 28 04:51:22 da proftpd[9649]: 109.bbb.ccc.ddd (61.bb.cc.231[61.bb.cc.231]) - USER user1: no such user found from 61.bb.cc.231 [61.bb.cc.231] to 109.bbb.ccc.ddd:21 
13488505820035	61.bb.cc.231		1	proftpd3	Sep 28 04:51:22 da proftpd[9649]: 109.bbb.ccc.ddd (61.bb.cc.231[61.bb.cc.231]) - Maximum login attempts (1) exceeded, connection refused

That every login try is counted twice, which is definitely wrong, as I see it.
So please, consider to fix it also.

 

[zEitEr]

I somehow missed and found just now this file brute_filter.list. So I guess the desired exceptions can be added manually into a customized versions of the filter file.