Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Stop POP3 Attacks ? (How to Deal with new multi-address POP login attemps ?)
  •  
BugMan1

Messages: 3
Karma: 0
Send a private message to this user
Latest KC &
Ubuntu 14.04 server :

I've been getting a new breed of POP3(s) attackers lately which use bots that employ a different IP address for every attempt. Some of them have one or more of our valid user names. While inserting a login delay kind of thwarts them, eventually they may guess one of those users passwords.

Is there any way to detect/stop logins from any one or all users after x-number of attempts within y-number of minutes, especially if they don't originate from my local network ? There are controls similar to this for SMTP, but SMTP spam isn't the only problem these days. Last week I had to take the server offline for half an hour so the bot would see dead air and give up.

I set up iptables to limit POP3(s) logins - from the SAME address - and that works OK, but iptables just isn't bright enough to deal with multi-address attacks.

Hmmm ... you know the KC code modules for anti-spam - domains, addresses, blacklists, etc - maybe the Kerio folks could just duplicate them ... but change the monitored ports to POP3/POP3s/IMAP ? That ought to give a LOT more control with just a small amount of programming effort. Just sayin' ...

Any ideas/solutions/3rd-party software ?

- jim
  •  
ksnyder

Messages: 557
Karma: 36
Send a private message to this user
Hi Jim - Is there a specific reason that you're running the POP3 services to begin with? If there's no real reason to run it, you can simply disable the service from starting/running: http://kb.kerio.com/1153

On the Security-->Security Policy tab, you can enable password guessing protection. The default block time is 5 minutes.

Whether you keep POP3 services running or not, you can use IP Address Groups and User Access Policies together (and apply them to your user profiles) in order to add access restrictions.

Ken Snyder
  •  
BugMan1

Messages: 3
Karma: 0
Send a private message to this user
Well, POP3(s) is ubiquitous ... works on every kind of software, every kind of system ... and our users like to download their mail direct into various phones, Macs, PCs, Linux etc. from both the office and from wherever. Some of the guys just won't use the web interface, esp on their phones, so, well, I get paid to make it work the way they want it to work. Besides, the little hackbots can play the same games with IMAP or any other way of getting mail off a server.

The "login guessing" security options you mentioned has a couple of flaws.

First, the "Block User Accounts Probably Targeted By Password Guessing" option will just totally block an account suspected of being under attack and, apparently, LEAVE it blocked until somebody - meaning me - manually unlocks it. I don't need the boss and a dozen others freaking out several times a day complaining that they can't get their mail from wherever. Some sort of "Lock Account for X Minutes" option would be nice. Even a 60 second blackout would discourage many bots. If they think nobody's home they quickly move to a new victim.

The second flaw is that the "Block IP Addresses Suspicious Of Password Guessing" is looking for repeated login tries from *one* IP address. While that still happens (and my iptables tweak catches such floods at the firewall) these newest attacks come in from dozens of random addresses (sent thru the Tor network maybe ?). I *do* have this option turned on ... but it didn't work very well, leading me to write those iptables rules.

So, while KC is very good, it doesn't seem offer enough refinement for THIS sort of attack.

I'll have to check out some 3rd-party software like "failban" or "denyhosts" to see if they offer enough IQ for this particular problem (I doubt it). If this keeps up I may have to try to write my own post-firewall program ... but sniffing packets is a pain I ain't as young as I used to be dontchaknow Smile

Just as with viruses, this is a never-ending game of one-upsmanship. Fix one sneaky attack method and soon they'll find a new one.

-jim
  •  
Brian Carmichael (Kerio)

Messages: 618
Karma: 61
Send a private message to this user
Regarding the account lockout option, as noted in the UI, the account will be unlocked after 5 minutes. If you have found this to not be the case, perhaps it is because the attacker again blocks the account a few seconds after it was unblocked. If in fact you are under some type of distributed brute force attack, it will be difficult to effectively block this behavior while still being able to identify the legitimate user from a dynamic IP address. Have you considered running the POP3 service on a different port?

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
BugMan1

Messages: 3
Karma: 0
Send a private message to this user
Brian Carmichael (Kerio) wrote on Tue, 14 July 2015 16:32
Regarding the account lockout option, as noted in the UI, the account will be unlocked after 5 minutes. If you have found this to not be the case, perhaps it is because the attacker again blocks the account a few seconds after it was unblocked. If in fact you are under some type of distributed brute force attack, it will be difficult to effectively block this behavior while still being able to identify the legitimate user from a dynamic IP address. Have you considered running the POP3 service on a different port?



Hmm ... running it on another port IS a possiblity. I do that for my SSH access and change it on occasion. This would be OK assuming the phones/tablets/pcs/etc my people are using outside the office can be made to understand that a secure connection is to be made on the new port number.

A few use Thunderbird, a few others use iPhones & Android and I think there's one Winders based tablet. They all want that "You've got mail !" experience rather than having to manually bring up the web interface. I'll have to experiment. Gotta keep all the people happy all the time ya know !

If the auto-lockout is only 5 minutes that might be acceptable - so far, most of these attacks happen in the 2-6 AM local timeframe so my users would never know their accounts were blocked. I don't see anything in the admin UI that *says* it's only for 5 minutes however or how many "suspicious incidents" constitute cause to block the user ... maybe it's buried in the config file ?

It's beginning to look like I really will have to write a program dedicated to detecting/stopping this sort of attack - when I can find the time. Looks as if the multi-IP attack is catching on, so a lot of the olde-tyme solutions aren't going to be up to the job.

Thanks,

-jim
  •  
Radek Sip (Kerio)

Messages: 1318
Karma: 48
Send a private message to this user
FYI, in the mailserver.cfg (while Kerio Connect is stopped!) you can tune the values in Antihammering table, e.g. lower the FailedLogin to 2-3 logins and block for less than 5 minutes.

<table name="AntiHammering">
<variable name="Pop3Enabled">1</variable>
<variable name="ImapEnabled">1</variable>
<variable name="HttpEnabled">1</variable>
<variable name="SmtpEnabled">1</variable>
<variable name="LdapEnabled">1</variable>
<variable name="NntpEnabled">1</variable>
<variable name="XmppEnabled">1</variable>
<variable name="FailedLogins">10</variable>
<variable name="CheckTime">60</variable>
<variable name="BlockTime">300</variable>
<variable name="SafeAcl">Local Clients</variable>
</table>

Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
Brian Carmichael (Kerio)

Messages: 618
Karma: 61
Send a private message to this user
Regarding the default 5 minute timeout, there is a screenshot and a description in the Knowledge Base
http://kb.kerio.com/product/kerio-connect/server-configurati on/security/password-policy-in-kerio-connect-1440.html#sect- loginguess

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
Previous Topic: How do you make distribution list email addresses accessible to non-authenticated users?
Next Topic: Full Text Search for Archives
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Mar 28 11:57:35 CEST 2017

Total time taken to generate the page: 0.01886 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.