Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Blacklisting Options
  •  
willowsv

Messages: 119
Karma: 0
Send a private message to this user
Is Kerio ever going to put dictionary attack protection into our mail server.

We suffered a 972 attempt attack yesterday and really if someone makes that many attempts to a pop server they should rightly be blacklisted.

What was concerning is the one address they tried that was a valid user then then tried singlly for about another 8 attempts.

Does the server give a different response from invalid mailbox / username and password combination?

[Updated on: Fri, 05 December 2008 10:08]

  •  
My IT Indy

Messages: 1262
Karma: 40
Send a private message to this user
You might consider looking into a firewall that can handle this instead of seeing if Kerio could.

-
My IT Indy
Kerio Certified Reseller and Hosted Provider
http://www.myitindy.com
  •  
freakinvibe

Messages: 1529
Karma: 60
Send a private message to this user
Yes, the POP3 protocol gives a different answer if the user exists:

[05/Dec/2008 02:11:46] POP3: User xxx doesn't exist

If the user exists and the password is wrong:

[05/Dec/2008 01:47:07] POP3: Invalid password for user xxx.

If the user exists, but is disabled

[05/Dec/2008 01:47:32] POP3: Attempt to login to disabled account xxx.

We have lots of these every day. If you have strong passwords, nothing to worry about. If it is always the same IP address you can block it for POP3 in KMS.

If you want automatic blocking, you need a firewall that can handle this. Kerio can't.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
No, protocol POP3 gives only one answer "-ERR Authentication failed" for all these authentication problems. So it is not possible to recognize whether the user does not exist or password is incorrect.

Messages above are debug messages for administrator.
  •  
willowsv

Messages: 119
Karma: 0
Send a private message to this user
Ah ok I was curious why they tried a brute force attack using 8 different users including "superman<_a.t_>domain.com" and then singled out a (valid) mailbox at the end.
  •  
ikheetleon

Messages: 67
Karma: -1
Send a private message to this user
If you are using Kerio on Linux, you might consider DenyHosts. Works like a charm, puts in some simple iptables rules in case of port-hammering.
  •  
freakinvibe

Messages: 1529
Karma: 60
Send a private message to this user
Quote:

No, protocol POP3 gives only one answer "-ERR Authentication failed" for all these authentication problems.

Pdobry is correct. the POP3 service always gives back the same error message, just the entries in the logs are different.

It is still strange, that the attacking bots would try to login with hundreds of different user names (trying each name exactly once) and only for the existing ones they will try multiple passwords. I can see this behviour in my logs:

[05/Dec/2008 18:22:04] POP3: User virginia<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:04] POP3: User informix<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:04] POP3: User katie<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:04] POP3: User israel<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:04] POP3: User max<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:04] POP3: User demo<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:04] POP3: User linda<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:04] POP3: User account<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:04] POP3: User claire<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:05] POP3: User mark<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:05] POP3: User jason<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:05] POP3: User kevin<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:05] POP3: User billy<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:05] POP3: User tst<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:05] POP3: User backup<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:05] POP3: User oracle<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:05] POP3: User server<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:06] POP3: User alex<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:06] POP3: User richard<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:06] POP3: User cindy<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:06] POP3: Invalid password for user admin<_a.t_>mydomain.org. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:06] POP3: Invalid password for user admin<_a.t_>mydomain.org. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:06] POP3: Invalid password for user admin<_a.t_>mydomain.org. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:06] POP3: Invalid password for user admin<_a.t_>mydomain.org. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:06] POP3: Invalid password for user admin<_a.t_>mydomain.org. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:06] POP3: Invalid password for user admin<_a.t_>mydomain.org. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:06] POP3: Invalid password for user admin<_a.t_>mydomain.org. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:06] POP3: Invalid password for user admin<_a.t_>mydomain.org. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:07] POP3: User lizdy<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:07] POP3: User testing<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:07] POP3: User root<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:07] POP3: User oracle8<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:07] POP3: User john<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:07] POP3: User mike<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:07] POP3: User ftp<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24
[05/Dec/2008 18:22:07] POP3: User bob<_a.t_>mydomain.org doesn't exist. Attempt from IP address 81.82.227.24

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
pantera10

Messages: 56
Karma: 0
Send a private message to this user
Hi,
I'm also having those types of "attacks" several times. How can I block an IP from trying to connect to POP3 account?
I think it's not possible because the based filter goes on the other side: refused all exept an IP adress group, whereas what I want is accepted all exept an IP adress group.

Regards,

Aurélien.

Kerio Connect 7.0.1 on Open Suse 11.1 64 bits
Outlook 2007 with KOFF. 100 users
  •  
yukiomishima

Messages: 185
Karma: -2
Send a private message to this user
happening to us as well

hundreds/thousands of attacks a day

gotta be something that can be done

slowing the mail server down to a crawl

we are running on OSX

any solutions?

any help greatly appreciated

thanks in advance

yukioMishima
  •  
freakinvibe

Messages: 1529
Karma: 60
Send a private message to this user
The blocking of port 110 for certain IP addresses should be handled by a firewall. KMS is not a firewall.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
Previous Topic: Changing Kerio calendar events in iCal calendars
Next Topic: Script for Calendar Items
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Sep 22 10:17:38 CEST 2017

Total time taken to generate the page: 0.00537 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.