Auto-Ban being challenged

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
tohare
Normal user
Normal user
Posts: 180
Joined: 2014-12-07 13:35
Location: Florida!

Auto-Ban being challenged

Post by tohare » 2016-09-30 12:44

The Dirty Buggers are getting way too smart. I have Auto-Ban set to 3 strikes and you are out for 1 hour. They have now focused attempted break-ins at staying below 3x in 1 hour so they are not auto-banned for 1 week. But I see the same IP's in the log as attempted break-ins. From countries I know we would never have a presence I block the IP range at the outside firewall level. But countries we may have a presence the attempted break-ins are getting too smart. I assume they have a long list and go through the IP's in a serial fashion which would explain the delay long enough to bypass auto-ban.

I would be interested in anyone seeing the same behavior and what you are doing about it. When I see it (manually searching logs for key words) I block them for a week in hopes the ISP will flag them or they move on to other IP ranges. This is time consuming and want to automate it. Anyone with brilliant ideas that tested well?

BTW, I supposedly use the Spam-assassin country filter (and such) but these guys get around it somehow. It may be by using Proxy (I think so) in a number of cases or seemingly random attacks.
Thanks,
Thomas

User avatar
SorenR
Senior user
Senior user
Posts: 3137
Joined: 2006-08-21 15:38
Location: Denmark

Re: Auto-Ban being challenged

Post by SorenR » 2016-09-30 13:32

My settings are 2, 1440, 10080

My clients are pre-configured and webmail (custom non-public SMTP port) is exempt from banning. So...
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

tohare
Normal user
Normal user
Posts: 180
Joined: 2014-12-07 13:35
Location: Florida!

Re: Auto-Ban being challenged

Post by tohare » 2016-09-30 17:21

Soren,

I am all for non-public ports but then how do outside entities get email to you -- i.e: other ISP's???

I know port 25 is the main problem but we want to use that port to insure we receive "all" email.
Thanks,
Thomas

User avatar
fjansen04
Normal user
Normal user
Posts: 31
Joined: 2008-08-30 15:49
Location: The Netherlands

Re: Auto-Ban being challenged

Post by fjansen04 » 2016-09-30 18:54

I see many attempted break-ins spread over 24 hours, so I adjusted my settings accordingly.
HMS 5.6.8 B2431 on Windows Server 2016 Essentials

User avatar
SorenR
Senior user
Senior user
Posts: 3137
Joined: 2006-08-21 15:38
Location: Denmark

Re: Auto-Ban being challenged

Post by SorenR » 2016-09-30 18:59

tohare wrote:Soren,

I am all for non-public ports but then how do outside entities get email to you -- i.e: other ISP's???

I know port 25 is the main problem but we want to use that port to insure we receive "all" email.
Port 25 is open... With AUTH switched off and Auto-Ban active on other ports where AUTH switched on ;-)

"DisableAUTHList=25" in the .ini file means you cannot log in. So, with AUTH required and LOGIN disabled - well... :mrgreen:

https://www.hmailserver.com/changelog?p ... build=2249
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

tohare
Normal user
Normal user
Posts: 180
Joined: 2014-12-07 13:35
Location: Florida!

Re: Auto-Ban being challenged

Post by tohare » 2016-09-30 19:21

Soren

Let me be sure I got this right. With AUTH off on port 25 (the nastiest one) the email is treated as from external domains. IOW, login is bypassed (not required).

OK, the only concern I have is we may have "devices" that send an email (logs, info, etc). These are usually from 3rd parties and we have no control -- IOW, they may be "hard wired" to use port 25 but be under a local domain. Can the devices still get in OK even with AUTH off and an internal domain user?
Thanks,
Thomas

User avatar
SorenR
Senior user
Senior user
Posts: 3137
Joined: 2006-08-21 15:38
Location: Denmark

Re: Auto-Ban being challenged

Post by SorenR » 2016-09-30 19:36

tohare wrote:Soren

Let me be sure I got this right. With AUTH off on port 25 (the nastiest one) the email is treated as from external domains. IOW, login is bypassed (not required).

OK, the only concern I have is we may have "devices" that send an email (logs, info, etc). These are usually from 3rd parties and we have no control -- IOW, they may be "hard wired" to use port 25 but be under a local domain. Can the devices still get in OK even with AUTH off and an internal domain user?
Email is treated as normal on port 25, it's the AUTH command that is disabled. Pending the settings of the attached IP Range, in my case, only "External to Local" emails can get through, all other types of emails require Authentication... On any other port (587 or 465) AUTH is available but not on port 25 :mrgreen:

Code: Select all

"SMTPD"	3248	10794	"2016-09-06 06:21:21.545"	"222.120.247.207"	"RECEIVED: AUTH LOGIN"
"SMTPD"	3248	10794	"2016-09-06 06:21:21.545"	"222.120.247.207"	"SENT: 504 Authentication mechanism not supported."
Last edited by SorenR on 2016-09-30 19:43, edited 1 time in total.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

^DooM^
Site Admin
Posts: 13862
Joined: 2005-07-29 16:18
Location: UK

Re: Auto-Ban being challenged

Post by ^DooM^ » 2016-09-30 19:41

Smart way of doing it SorenR. This should be implemented everywhere imo. would save a lot of issues.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

tochi
Senior user
Senior user
Posts: 278
Joined: 2015-07-28 22:55

Re: Auto-Ban being challenged

Post by tochi » 2016-09-30 19:44

tohare wrote:Soren

Let me be sure I got this right. With AUTH off on port 25 (the nastiest one) the email is treated as from external domains. IOW, login is bypassed (not required).

OK, the only concern I have is we may have "devices" that send an email (logs, info, etc). These are usually from 3rd parties and we have no control -- IOW, they may be "hard wired" to use port 25 but be under a local domain. Can the devices still get in OK even with AUTH off and an internal domain user?
Create IP Ranges for those devices and uncheck 'Require SMTP authentication'.

User avatar
SorenR
Senior user
Senior user
Posts: 3137
Joined: 2006-08-21 15:38
Location: Denmark

Re: Auto-Ban being challenged

Post by SorenR » 2016-09-30 19:53

^DooM^ wrote:Smart way of doing it SorenR. This should be implemented everywhere imo. would save a lot of issues.
Bill introduced it in one of his old builds but it was not implemented in the official version until 5.6.3. I made my own version based on Bill's and later merged that with a backport of the 5.6.3 version into my 5.4.2. My version do not announce HELP as the last option and thus it's not identifiable by bots 8) - Yes, I sometimes wear a tinfoil hat. :mrgreen:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

tohare
Normal user
Normal user
Posts: 180
Joined: 2014-12-07 13:35
Location: Florida!

Re: Auto-Ban being challenged

Post by tohare » 2016-10-01 04:58

Which section does this go into in the INI file?

DisableAUTHList=25
Thanks,
Thomas

User avatar
SorenR
Senior user
Senior user
Posts: 3137
Joined: 2006-08-21 15:38
Location: Denmark

Re: RE: Re: Auto-Ban being challenged

Post by SorenR » 2016-10-01 06:57

tohare wrote:Which section does this go into in the INI file?

DisableAUTHList=25
[settings]
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jimimaseye
Moderator
Moderator
Posts: 7950
Joined: 2011-09-08 17:48

Re: Auto-Ban being challenged

Post by jimimaseye » 2016-10-01 09:04

^DooM^ wrote:This should be implemented everywhere imo. would save a lot of issues.
Not for me. I don't see the benefit but do see downsides. viewtopic.php?p=186699#p186699
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
fjansen04
Normal user
Normal user
Posts: 31
Joined: 2008-08-30 15:49
Location: The Netherlands

Re: Auto-Ban being challenged

Post by fjansen04 » 2016-10-01 09:18

jimimaseye wrote:
^DooM^ wrote:This should be implemented everywhere imo. would save a lot of issues.
Not for me. I don't see the benefit but do see downsides. viewtopic.php?p=186699#p186699
Agree. I tried it before en my logs were never so big.
HMS 5.6.8 B2431 on Windows Server 2016 Essentials

tohare
Normal user
Normal user
Posts: 180
Joined: 2014-12-07 13:35
Location: Florida!

Re: Auto-Ban being challenged

Post by tohare » 2016-10-01 09:31

BTW, are there any other entries for the [Settings] section? I tried to search on that and this board rejects "Settings" as too common.
Thanks,
Thomas

tohare
Normal user
Normal user
Posts: 180
Joined: 2014-12-07 13:35
Location: Florida!

Re: Auto-Ban being challenged

Post by tohare » 2016-10-01 11:35

Still early but with AUTH OFF I would rather have large logs than have the possibility of some JA accidentally getting a PW right. If I find some real abuse I will put the IP in the outside firewall. But this should save me time from having to look deeply at logs to check security.

Port 25 is our real weak link but not missing a single email is more important.

We will leave AUTH "on" for all other ports. We use TLS and STARTTLS to help insure security. TLS/SSL for 465 (dedicated encrypted) and STARTTLS for 587 (Supposed to be un-encrypted but giving option to use encryption is great!). If I had my way all traffic (as much as possible) would be encrypted. But unfortunately that's not up to me.
Thanks,
Thomas

User avatar
SorenR
Senior user
Senior user
Posts: 3137
Joined: 2006-08-21 15:38
Location: Denmark

Re: Auto-Ban being challenged

Post by SorenR » 2016-10-01 11:49

tohare wrote:BTW, are there any other entries for the [Settings] section? I tried to search on that and this board rejects "Settings" as too common.
Tons of options however 99% is useless to most of us :mrgreen:

Search for _("Settings", in the file below... (40 hits)

https://github.com/hmailserver/hmailser ... ttings.cpp
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
mattg
Moderator
Moderator
Posts: 19810
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Auto-Ban being challenged

Post by mattg » 2016-10-03 00:37

^DooM^ wrote:Smart way of doing it SorenR. This should be implemented everywhere imo. would save a lot of issues.
I think it is awesome

I used to get 10-15 Autobanned IPs at a time (autoban for a week), but now I rarely have 1, and my logs are full of outright rejections.
Looking forward to SorenR's other tool which is OnHELO being incorporated into the main build. That will give me a lot more granular control for greylisting etc
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

tohare
Normal user
Normal user
Posts: 180
Joined: 2014-12-07 13:35
Location: Florida!

Re: Auto-Ban being challenged

Post by tohare » 2016-10-12 06:30

The buggers are getting too smart on Port 25. We disabled AUTH which helps "a lot"! But now I get the message authentication not enabled on port 25 when the buggers try to break in. That is great but I want to add them to the IP Ranges and block them from all services when this message appears. Bottom line is we know this is an attempted break-in and we want to ban them for a week or more from having "anything" to do with HMS. No doubt they are not nice people.

Is there a way to automatically add them to IP Ranges "anytime" the message "AUTH not enabled" shows in the log?

This stems from the fact the buggers "appear" to be using proxies or something and switching IP's rapidly. We can get hit by a dozen or more IP's in the same time range doing the same illegal break-in attempt. It is obvious to us most of these must be from the same source. We just want to shut them down quicker to help with overall security.
Thanks,
Thomas

User avatar
SorenR
Senior user
Senior user
Posts: 3137
Joined: 2006-08-21 15:38
Location: Denmark

Re: Auto-Ban being challenged

Post by SorenR » 2016-10-12 09:25

tohare wrote:Bottom line is we know this is an attempted break-in and we want to ban them for a week or more from having "anything" to do with HMS. No doubt they are not nice people.
I just got a flashback of my daughter arguing with Siri... :mrgreen:

"They" are bots, they don't care..... It's just as hard to keep track of them as it is to unsubscribe to the IRS mailinglist.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

tohare
Normal user
Normal user
Posts: 180
Joined: 2014-12-07 13:35
Location: Florida!

Re: Auto-Ban being challenged

Post by tohare » 2016-10-12 09:42

"They" are still not my buddies! ;-) Even more of a reason to add them to the IP Range list to keep them out. Most are port 25 but there are also a number of "multi-port" login attempts -- all at the same time. Just trying to do my duty and keep the nastiness away from the hen house...
Thanks,
Thomas

User avatar
mattg
Moderator
Moderator
Posts: 19810
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Auto-Ban being challenged

Post by mattg » 2016-10-12 12:16

The only way that I can think of is to parse the log files for these entries and then add them as an IP Range manually.

I've done something similar for IP addresses of gMail hosted domains to add greylist whitelist entries. I'll have a play and post back a script
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

tohare
Normal user
Normal user
Posts: 180
Joined: 2014-12-07 13:35
Location: Florida!

Re: Auto-Ban being challenged

Post by tohare » 2016-11-13 07:16

OK, a month later...

I "love" having AUTH OFF on Port 25!!! It is saving me a "lot" of work to try and keep the nastiness out! I kind of see it as a "honey pot" situation. The trolls are defaulting to port 25 since it is open. They try to do a Brute Force attack most times and are obviously stopped. What I am "assuming" is since they find an open port they direct BOTS to that port and try to guess passwords. Since AUTH OFF is set that will never work. I currently see very little activity to try and break-in to other ports. Yes, some but very little. Which in my mind says they are attracted to the honey on Port 25 and are distracted from the other ports. I plan on keeping AUTH OFF on Port 25 for the foreseeable future.
Thanks,
Thomas

Post Reply