On Sat, 19 May 2012 14:59:19 -0600, Glenn English wrote:
> On May 19, 2012, at 2:35 PM, Camaleón wrote:
>
>> Is your Dovecot publicly accesible?
>
> Yes.
Okay, then the attacks make more sense.
What still worries me is the empty (yet unknown) IP address of the
machine from where this is coming and I don't know Dovecot (with PAm
auth) enough to completely understand what can generate a blank "rhost"
because even a connection from a local machine (or the same computer
where Dovecot is installed) I'd expect an IP printed there, either remote
or local (127.0.0.1, 192.168.x.x, etc...) :-?
Can you compare these entries ("rhost=") from the ones you get on normal
login? That is, when a user is properly identified. Is the host available
then?
>> I also get login tries in my Cyrus
>> coming from the outside, they're usually from automated bots running on
>> zombi windows machines... if that's the case, you can apply
>> counter-measures to cut these kind of attacks, for instance, by
>> installing fail2ban
>
> Done, and it's denying Postfix and auth incidents of interest.
Good. You can now monitor the attack and logs will tell you if fail2ban
is doing its work :-)
>> (also, some routers allow to define rules to block/filter by specific
>> syn/ack traffic).
>
> My border router is a Cisco with significant acls. But they seem to be
> all about ICMP/UDP/TCP, IP, and port. I'll look into more specific
> restrictions.
>
> From one of the access lists:
>
>> 30 permit udp any host 209.97.231.219 eq ntp (27611222 matches)
>
> (access to the NTP server, in case you don't speak IOS)
I have no previous experience with Cisco routers but acl filter rules are
almost like mathematical symbols: they're universally understood :-)
Anyway, better that you touch nothing at the Cisco side, fail2ban will do
the job.
>> But being your "rhost" empty... it does not sound good :-(
>
> My sentiment exactly :-)
>
>> You can also take a look at the mailog to check pop3/imap logins, but I
>> don't know where Dovecot sends these... "/var/log/mail.log"?
>
> Yes, that's where they go. I just looked, and if I 'egrep -v' my real
> users and the net monitor, there's nothing of any interest.
Isn't the attacker's IP logged there? Weird. You can also make the login
process to be more verbose in Dovecot by setting "auth_verbose=yes", you
have more options here:
http://wiki2.dovecot.org/Logging
>> Yes, that's suspicious. You can also run rkhunter to scan your system.
>
> rkhunter. Thanks. I'll see what I can find.
That way you will discard something wrong coming from your own side.
Greetings,
--
Camaleón
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/jpai57$u2v$3...@dough.gmane.org
