Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » SMTP brute force attacks (Missing Kerio feature against brute force attacks)
  •  
marco.w

Messages: 24
Karma: 0
Send a private message to this user
Hi all!

within the past months my Kerio Connect server is constantly being flooded with SMTP login attempts.

Example:
[07/Feb/2013 11:30:23] Failed SMTP login from 64.15.133.57
[07/Feb/2013 11:30:23] SMTP server connection from 64.15.133.57 closed after 1 bad commands
[07/Feb/2013 11:30:23] Failed SMTP login from 88.26.196.125
[07/Feb/2013 11:30:23] SMTP server connection from 88.26.196.125 closed after 1 bad commands
[07/Feb/2013 11:30:41] Failed SMTP login from 96.226.245.88
[07/Feb/2013 11:30:41] SMTP server connection from 96.226.245.88 closed after 1 bad commands
[07/Feb/2013 11:30:59] Failed SMTP login from 88.26.196.125
[07/Feb/2013 11:30:59] SMTP server connection from 88.26.196.125 closed after 1 bad commands

As far as I know there is no feature in Kerio Connect to prevent this. Are there any plans to create something like dynamic address groups to block IP source addresses after 3 failed login attempts?

Thanks,
Marco
  •  
fishtech

Messages: 617
Karma: 13
Send a private message to this user
Have you tried SMTP delay within Spam Repellent

http://manuals.kerio.com/kms/en/sect-spamrepellent.html

Cheers,

ft.
  •  
marco.w

Messages: 24
Karma: 0
Send a private message to this user
yes, I have it enabled (30 sec) but this only delays brute force attacks, to prevent it I'd like those IP addresses blocked on the IP or at least TCP Layer.
This would be really easy - "n" unsuccessful login attempts puts their IP address into a "dynamic" address group that is not allowed to establish a connection to any Kerio Connect Service.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Look at Security policy tab in Advanced options - Password guessing. It is probably the feature you seek for.

[Updated on: Thu, 07 February 2013 17:02]

  •  
marco.w

Messages: 24
Karma: 0
Send a private message to this user
Hi Pavel,

I have the password guessing option enabled but it seems that it does not apply to SMTP logins. Could it be that this setting only affects Web/IMAP/etc. login requests?

Thanks,
Marco
  •  
freakinvibe

Messages: 1511
Karma: 58
Send a private message to this user
The password guessing protection is only kicking in after 10 attempts from the same IP address. In my log I see for example:

Quote:
[07/Feb/2013 09:08:40] SMTP: User adam<_at_>example.com doesn't exist. Attempt from IP address 83.136.86.135.
[07/Feb/2013 09:08:40] SMTP: User adam<_at_>example.com doesn't exist. Attempt from IP address 83.136.86.135.
[07/Feb/2013 09:08:40] SMTP: User adam<_at_>example.com doesn't exist. Attempt from IP address 83.136.86.135.
[07/Feb/2013 09:08:40] SMTP: User adam<_at_>example.com doesn't exist. Attempt from IP address 83.136.86.135.
[07/Feb/2013 09:08:41] SMTP: User adam<_at_>example.com doesn't exist. Attempt from IP address 83.136.86.135.
[07/Feb/2013 09:08:41] SMTP: User adam<_at_>example.com doesn't exist. Attempt from IP address 83.136.86.135.
[07/Feb/2013 09:08:41] SMTP: User adam<_at_>example.com doesn't exist. Attempt from IP address 83.136.86.135.
[07/Feb/2013 09:08:41] SMTP: User shop<_at_>example.com doesn't exist. Attempt from IP address 83.136.86.135.
[07/Feb/2013 09:08:41] SMTP: User shop<_at_>example.com doesn't exist. Attempt from IP address 83.136.86.135.
[07/Feb/2013 09:08:41] SMTP: User shop<_at_>example.com doesn't exist. Attempt from IP address 83.136.86.135.
[07/Feb/2013 09:08:41] SMTP: AntiHammering - IP address 83.136.86.135 will be blocked for 5 minutes, too many failed logins from this IP address.
[07/Feb/2013 09:08:41] SMTP: AntiHammering: connection from IP address 83.136.86.135 is blocked
[07/Feb/2013 09:08:41] SMTP: AntiHammering: connection from IP address 83.136.86.135 is blocked
[07/Feb/2013 09:08:41] SMTP: AntiHammering: connection from IP address 83.136.86.135 is blocked
[07/Feb/2013 09:08:42] SMTP: AntiHammering: connection from IP address 83.136.86.135 is blocked
[07/Feb/2013 09:08:42] SMTP: AntiHammering: connection from IP address 83.136.86.135 is blocked

[Updated on: Tue, 12 February 2013 13:07]


Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
marco.w

Messages: 24
Karma: 0
Send a private message to this user
freakinvibe wrote on Tue, 12 February 2013 13:03
The password guessing protection is only kicking in after 10 attempts from the same IP address. In my log I see for example:

Quote:
[07/Feb/2013 09:08:40] SMTP: User adam<_at_>example.com doesn't exist. Attempt from IP address 83.136.86.135.
[07/Feb/2013 09:08:40] SMTP: User adam<_at_>example.com doesn't exist. Attempt from IP address 83.136.86.135.
[07/Feb/2013 09:08:40] SMTP: User adam<_at_>example.com doesn't exist. Attempt from IP address 83.136.86.135.
[07/Feb/2013 09:08:40] SMTP: User adam<_at_>example.com doesn't exist. Attempt from IP address 83.136.86.135.
[07/Feb/2013 09:08:41] SMTP: User adam<_at_>example.com doesn't exist. Attempt from IP address 83.136.86.135.
[07/Feb/2013 09:08:41] SMTP: User adam<_at_>example.com doesn't exist. Attempt from IP address 83.136.86.135.
[07/Feb/2013 09:08:41] SMTP: User adam<_at_>example.com doesn't exist. Attempt from IP address 83.136.86.135.
[07/Feb/2013 09:08:41] SMTP: User shop<_at_>example.com doesn't exist. Attempt from IP address 83.136.86.135.
[07/Feb/2013 09:08:41] SMTP: User shop<_at_>example.com doesn't exist. Attempt from IP address 83.136.86.135.
[07/Feb/2013 09:08:41] SMTP: User shop<_at_>example.com doesn't exist. Attempt from IP address 83.136.86.135.
[07/Feb/2013 09:08:41] SMTP: AntiHammering - IP address 83.136.86.135 will be blocked for 5 minutes, too many failed logins from this IP address.
[07/Feb/2013 09:08:41] SMTP: AntiHammering: connection from IP address 83.136.86.135 is blocked
[07/Feb/2013 09:08:41] SMTP: AntiHammering: connection from IP address 83.136.86.135 is blocked
[07/Feb/2013 09:08:41] SMTP: AntiHammering: connection from IP address 83.136.86.135 is blocked
[07/Feb/2013 09:08:42] SMTP: AntiHammering: connection from IP address 83.136.86.135 is blocked
[07/Feb/2013 09:08:42] SMTP: AntiHammering: connection from IP address 83.136.86.135 is blocked



well...
...take a look at my log - it's like that every day - most of the time it's not just one IP trying to log in (and it goes on for hours)

.
.
.
[11/Feb/2013 11:59:56] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:00:33] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:00:33] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:01:10] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:01:10] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:01:48] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:01:48] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:02:25] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:02:25] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:03:02] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:03:02] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:03:40] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:03:40] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:04:17] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:04:17] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:04:54] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:04:54] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:05:32] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:05:32] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:06:09] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:06:09] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:06:47] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:06:47] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:07:24] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:07:24] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:08:01] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:08:01] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:08:39] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:08:39] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:09:17] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:09:17] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:09:54] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:09:54] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:10:31] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:10:31] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:11:08] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:11:08] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:11:46] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:11:46] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:12:23] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:12:23] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:13:00] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:13:00] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:13:38] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:13:38] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:14:15] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:14:15] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:14:53] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:14:53] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:15:30] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:15:30] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:16:07] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:16:07] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:16:45] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:16:45] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:17:22] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:17:22] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:17:59] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:17:59] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:18:36] Failed SMTP login from 112.216.90.58
[11/Feb/2013 12:18:36] SMTP server connection from 112.216.90.58 closed after 1 bad commands
[11/Feb/2013 12:19:14] Failed SMTP login from 112.216.90.58
.
.
.
  •  
freakinvibe

Messages: 1511
Karma: 58
Send a private message to this user
I normally get

Quote:
[27/Jan/2013 04:20:58] SMTP: User sales<_at_>example.com doesn't exist. Attempt from IP address 80.198.90.172.
[27/Jan/2013 04:21:04] Failed SMTP login from 80.198.90.172


or

Quote:
[27/Jan/2013 04:23:15] SMTP: Invalid password for user admin<_at_>example.com. Attempt from IP address 80.198.90.172.
[27/Jan/2013 04:23:21] Failed SMTP login from 80.198.90.172


I don't get the "bad command" but I get the user name it tries to login with. So I guess in your case, the attacker doesn't even get to the stage where it can input the user name and password, but fails before that (due to wrong command sequence). So the attacker can't even guess the password, because it never gets to the password entry stage, it fails before. As a consequence, this is not detected as a password guessing attack, which is fine.

So I am pretty sure you don't have to worry about that. Anyhow, if you want to analyze further, I would enable "SMTP Server" in the debug log to see the exact sequence of the commands of the attacker. You can post it here.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
trifygri

Messages: 2
Karma: 1
Send a private message to this user
Pavel,
having set

Block IP addresses suspicious of password guessing attacks

and
Block user accounts probably targeted by password guessing

as suggested in

kb.kerio.com/product/kerio-connect/security-kerio-connect/se curing-kerio-connect-1239.html

as well as setting the
Spam Repellent setting

does not help in fighting attacks from one IP that is trying to login/guess usernames with changing user/passwords.
There are no 10 tries per minute due to the Repellent setting.
I´ve seen attacks for hour´s from the same IP, let alone from different IP´s.

I wish to have an adjustable setting:

Block IP for (x) minutes if (y) faild attempts in (z) minutes.

  •  
Lisa Lyons (Kerio)

Messages: 175
Karma: 8
Send a private message to this user
Hi, Trifygri

You could actually block the IP on your firewall for SMTP traffic, since it seems to be the same IP consistently... This way, the mailserver doesn't have to process the incorrect attempts every time, and it may also help release some of the burden from the mailserver.

Kerio Technical Support
Log Support Incidents here: http://www.kerio.com/support
Also, please use our KB: http://kb.kerio.com
  •  
trifygri

Messages: 2
Karma: 1
Send a private message to this user
Hi Lisa,

thank you for trying to help. What I wanted to say is that the two defense features (smart repellent and block account) activated at the same time do not really help but result in the opposite of the intended. The repellent slows access so that the 10 login attempts per minute for the the blocking feature never happens. That´s why I want the blocking to be more configurable.

I think this would be an important security enhancement to the product.
Previous Topic: MAPI_E_corrupt_store error
Next Topic: Connect Security Configuration Questions
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Aug 24 10:35:55 CEST 2017

Total time taken to generate the page: 0.00500 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.