f



Brute-forcing email accounts

My mail server, running postfix and courier-imap etc., is
continuously under attack from sources trying to brute-force
email accounts. They guess, often correctly, the email addresses
and try different passwords.

So far they have been largely unsuccessful, with one sad
exception, but I am asking myself whether there is not a
relatively simple defense. Perhaps the attacking IP address
could be blocked for some time after three unsuccessful logon
attempts.

Of course I keep reminding my mail users to use sufficiently
complex passwords, but I cannot force them.

My server runs under Plesk, and my knowledge of Linux is
superficial. There is always hope, of course, that Plesk one day
improves resistance against cyberattacks.

Any hints are welcome.

Hans-Georg
0
Hans
10/7/2016 10:56:21 AM
comp.mail.misc 4531 articles. 0 followers. Post Follow

3 Replies
274 Views

Similar Articles

[PageSpeed] 38

>>>>> Hans-Georg Michna <hans-georgNoEmailPlease@michna.com> writes:

 > My mail server, running postfix and courier-imap etc., is
 > continuously under attack from sources trying to brute-force email
 > accounts.  They guess, often correctly, the email addresses and try
 > different passwords.

 > So far they have been largely unsuccessful, with one sad exception,
 > but I am asking myself whether there is not a relatively simple
 > defense.  Perhaps the attacking IP address could be blocked for some
 > time after three unsuccessful logon attempts.

	As stated, this problem looks like something Fail2ban can help
	you with.  See http://www.fail2ban.org/.

 > Of course I keep reminding my mail users to use sufficiently complex
 > passwords, but I cannot force them.

	Actually, you can.  For example, if your ESMTPSA and IMAPS
	services use PAM for authentication, you can configure it to
	check the new password with pam_cracklib and disallow the change
	if Cracklib says it's "weak."

 > My server runs under Plesk, and my knowledge of Linux is superficial.

	JFTR, I have no knowledge of Plesk whatsoever myself, so if
	there's anything specific to it, I'd hardly be of any help.

[...]

-- 
FSF associate member #7257  58F8 0F47 53F5 2EB2 F6A5  8916 3013 B6A0 230E 334A
0
Ivan
10/7/2016 11:13:30 AM
Hans-Georg Michna <hans-georgNoEmailPlease@michna.com> wrote:

> My server runs under Plesk, and my knowledge of Linux is
> superficial. There is always hope, of course, that Plesk one day
> improves resistance against cyberattacks.

It's time to get your hands dirty and quit relying on those stupid control
panels.

Both of these work wonders, protects the sshd, imap, pop and smtp with or
without ssl/tls support. 

Once an attacker from the same ip address enters 4 or 5 bad password, it's
locked out. For how long is adjustable.

http://www.aczoom.com/blockhosts/

http://www.sshguard.net

But here is the run down, blockhosts is probably obsolete unless you use
it with iptables. It used to be dumb simple to install using the hosts.deny
and hosts.allow files, but the recent changes to ssh/ssl, they don't support
the tcpwrappers anymore, so it's iptables or nothing.

The sshguard works well for a replacement but is difficult to get going.
Unlike blockhosts, adding in or modifying the rules (how it parses the log
files) isn't there. For solaris I ended up using a combination of the native
syslog and syslog-ng.

Both will require an understanding of parsing log files and how to setup and
make rules for the firewall. It's a steep, complicated hill to climb.

But when you get them to fire up, they pretty much are maintenance free.
They clean up themselves over time (take out dead or expired entries). Only
reason to poke a stick at them is if an idiot user sets up a new device and
"thinks" they know what the password is. You have to figure it out and put
in an exception but it's no big deal.

The blockhosts pretty much works on anything that has python on it, the
sshguard will need to be compiled to the box it's going to work. If you don't
know how to compile software, add that to the list of stuff to learn.

Good luck.

-bruce
bje@ripco.com



 
0
Bruce
10/7/2016 9:40:56 PM
Thanks for the hints! I have once tried to understand iptables
and have more or less failed.

It seems I can only do my best to make my users choose good
passwords and hope that my server keeps efficiently deflecting
the attacks.

Hans-Georg
0
Hans
10/10/2016 4:32:57 PM
Reply: