Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Someone is loading my server with login attempts
  •  
rshrieve

Messages: 7
Karma: 0
Send a private message to this user
At the moment, I have two IP addresses (86.105.41.131 and 69.38.3.78) attempting logins to my POP3 server.

They start with common usernames such as "administrator<.a.t.>domain.com", then work their way through the alphabet with usernames. This has been going on with these two guys since yesterday. So far, they have been unsuccessful and the Kerio mail server is rejecting all the attempts and recording them in the security log.

My question is this: is there any way to stop all this unnecessary traffic from even coming to my server?

Thanks for any insight.
Rich
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
You could block those two IPs at the firewall. That'll insure they don't even get as far as the KMS server to try a login.

Scott
  •  
pstavros

Messages: 12
Karma: 0
Send a private message to this user
Create a black list of IP's, that 86 block of IP's is owned by RIPE Network out of the Netherlands (Amsterdam). What are the 2 things Amsterdam is famous for porn & drugs. RIPE networks controls 80.0.0.0 - 89.0.0.0 most of which is SPAM from what I've seen hit my servers. So I blacklisted every single class C out of RIPE Networks. Don't need what there selling anyway it's all crap!

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 86.0.0.0 - 86.255.255.255
CIDR: 86.0.0.0/8
NetName: 86-RIPE
NetHandle: NET-86-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
NameServer: NS.LACNIC.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2004-04-01
Updated: 2004-04-06

  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
A blacklist isn't effective against POP3. It won't help against authenticated SMTP either, should they succeed in figuring out a valid username/password combo by attacking the POP3 server component.

Scott
  •  
rshrieve

Messages: 7
Karma: 0
Send a private message to this user
sedell wrote on Tue, 27 February 2007 12:01

You could block those two IPs at the firewall. That'll insure they don't even get as far as the KMS server to try a login.


Would you please explain how to do this. I assume you mean block the two addresses outside the KMS application. Thx
  •  
rshrieve

Messages: 7
Karma: 0
Send a private message to this user
sedell wrote on Tue, 27 February 2007 12:17

A blacklist isn't effective against POP3. It won't help against authenticated SMTP either, should they succeed in figuring out a valid username/password combo by attacking the POP3 server component.



So are you saying that there is basically no way to keep this traffic from my server?
  •  
tpalmer

Messages: 61
Karma: 0
Send a private message to this user
Item #1) RIPE isn't a "network", its the European equivalent of ARIN - they allocate address blocks to organizations. Attempting to block RIPE addresses is just silly.

http://www.ripe.net/info/ncc/index.html

2) Unfortunately, there isn't a whole lot you can do. If you have access to your firewall, you could block traffic from the specific addresses these are coming from, but typically the Bad Guys will just move to other addresses, so it becomes Whack A Mole. If you don't have access to your firewall, you might be able to keep these addresses from hitting Kerio by using whatever firewalling is available on the server Kerio is running on (most OSes have some built in firewalling these days), but its the same Whack a Mole problem. Finally, if you can't firewall, you can null route them, with the same problem.

The details of how to configure firewalls to drop traffic is way out of scope for this group - too many possibilities for one thing. Well tuned Google searches would be where to start.

In the end, all you can really do is keep your machines patched and keep an eye on the logs.

[Updated on: Wed, 28 February 2007 00:31]

  •  
Karin

Messages: 5
Karma: 0
Send a private message to this user
Actually, one can log the ip, as well as automatically blacklist their ip if they reach so many attempts per (?) Seconds. I do this successfully via my firewall.

Each day I take the IPs logged as blacklisted and place them into my permanent blacklist.

I just wish these people would get a life.

Blocking other countries is a very extreme approach. But, definitely saves on bandwidth and resources. I just wish Kerio would allow more aggressive ip blocking per domain.
  •  
campodoro74

Messages: 119
Karma: 0
Send a private message to this user
Quote:

Actually, one can log the ip, as well as automatically blacklist their ip if they reach so many attempts per (?) Seconds. I do this successfully via my firewall.

Each day I take the IPs logged as blacklisted and place them into my permanent blacklist.


That's indeed true but this is not a SMTP problem but a POP3 attack: the question is how to block IP's that are trying to attack the POP3 side of KMS. tpalmer is right, it's not easy to block this. Just be sure you've chosen good passwords!
  •  
freakinvibe

Messages: 1529
Karma: 60
Send a private message to this user
I have experienced this as well. Blocking IP addresses is useless in the end because botnets are used with thousands of different IP addresses.

I used to have and info<.a.t.>domain.com address and forgot to put a password. So after finding out via POP3 that the password was empty, they used SMTP authentication to send tons of their spam mails. Fortunately I spotted this very quickly, stopped KMS, cleaned the queue, set a strong password for the info account and restarted KMS. Never had a problem since.

You have the POP3 traffic of the password attempts, but that is not very high, only a few bytes per attempt. Normally they give up after minutes.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
Karin

Messages: 5
Karma: 0
Send a private message to this user
Generally customers and/or users will check their mail every 5 minutes. 60/5 = 12.
To be generous will say 35.
35 attempts your blocked.
Get the CIDR range the IP belongs to and block the hole range. Generally these attacks come from servers which would never be using 110, 995, 465 and so on. Unless of course you offer mail services to Dedicated Server customers outside of your network.

Another trick I use, is to use a ip which should only be used for anything else but mail related functions. Any IP which tries to smtp pop.... to the none mail ip is blocked, along with the whole range it belongs too.
  •  
willowsv

Messages: 119
Karma: 0
Send a private message to this user
We had a similar problem with FTP under IIS where we would get a flood fo atempts filling up the event log.

This is an easy security feature that kerio could implement where if an incorrect username and password is entered "x" times from the same IP address it blocks that IP for 15-30 minutes or introduces a delay in the handshake by about 30 seconds. Normally the bot will give up they dont like waiting long unless its a genuine hack attempt (which it soudns like)

Kerio already has an account lockout feature in place *however* I beleave it only works on the same account so doesent kick in unless they try the same username more than "x" times which most dont. it sounds like your attacker is trying random usernames. A simple change to this might deter a lot of wannabe attackers.

  •  
rshrieve

Messages: 7
Karma: 0
Send a private message to this user
willowsv wrote on Wed, 28 February 2007 08:22



This is an easy security feature that kerio could implement where if an incorrect username and password is entered "x" times from the same IP address it blocks that IP for 15-30 minutes or introduces a delay in the handshake by about 30 seconds. Normally the bot will give up they dont like waiting long unless its a genuine hack attempt (which it soudns like)





That would be a very helpful feature. It would deter the attempted hacking I was experiencing.
  •  
ahoutzer

Messages: 33

Karma: 0
Send a private message to this user
I discovered the same thing going on this morning -- the same pattern of login attempts -- only the attack came from IP 70.235.73.6 . That is in a range owned by sbcglobal.net , so I cannot block out a range of IPs because there are many legitimate mail possible users in it. I did block the single IP address at my firewall, outside of the Kerio MailServer application.

The fact that two of us with Kerio MailServer are experiencing the same kind of attack at the same time is a strong coincidence. I suggest that everyone reading this message check their warning log for messages such as the following:

[01/Mar/2007 11:07:25] POP3: User felix<.a.t.>mycompany.com doesn't exist. Attempt from IP address 70.235.73.6

where the user name tries about twenty times and then alphabetically advances to another name. Could it be that Kerio MailServer installations are being targeted?
rshrieve

Messages: 7
Karma: 0
Send a private message to this user
ahoutzer wrote on Thu, 01 March 2007 18:20



Could it be that Kerio MailServer installations are being targeted?


I wouldn't understand why KMS installations would be targeted. These bots must cruise the net looking for mail servers to relay spam through. When they find a server, they search for access by trying out a long list of possible userID's, eventually giving up or succeeding.

One feature Kerio could add would be one suggested in this thread --namely to limit failed login attempts from the same IP address to X number and and then block that IP for 15-30 minutes or introduce a delay in the handshake by 30 seconds.

Rich
Previous Topic: When I reply to msg from phone no copy to Sent
Next Topic: Split Domain
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Sep 22 04:42:50 CEST 2017

Total time taken to generate the page: 0.00581 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.