attack! how cani stop it. Rset retrtying to auth again and a

Use this forum if you want to discuss a problem or ask a question related to a hMailServer beta release.
Post Reply
minsik
Normal user
Normal user
Posts: 92
Joined: 2006-08-03 13:08
Location: South Australia

attack! how cani stop it. Rset retrtying to auth again and a

Post by minsik » 2008-10-19 13:49

hi there.

never been touched b4 from anyone and it feels violating!

"SMTPD" 4852 10 "2008-10-19 21:44:30.753" "192.168.1.2" "RECEIVED: EHLO oijgrn.com"

and it appears he is trying to get an auth on the same connection.

"sMTPD" 4600 10 "2008-10-19 22:08:45.564" "192.168.1.2" "SENT: 250 OK"
"SMTPD" 4852 10 "2008-10-19 22:08:45.918" "192.168.1.2" "RECEIVED: AUTH LOGIN"
"SMTPD" 4852 10 "2008-10-19 22:08:45.920" "192.168.1.2" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 1132 10 "2008-10-19 22:08:47.289" "192.168.1.2" "RECEIVED: Y2FuZHk="
"SMTPD" 1132 10 "2008-10-19 22:08:47.291" "192.168.1.2" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 4600 10 "2008-10-19 22:08:49.573" "192.168.1.2" "RECEIVED: Y2FuZHk="
"SMTPD" 4600 10 "2008-10-19 22:08:49.576" "192.168.1.2" "SENT: 535 Authentication failed. Restarting authentication process."
"SMTPD" 4852 10 "2008-10-19 22:09:19.001" "192.168.1.2" "RECEIVED: RSET"
"SMTPD" 4852 10 "2008-10-19 22:09:19.005" "192.168.1.2" "SENT: 250 OK"
"TCPIP" 4644 "2008-10-19 22:12:12.027" "TCPConnection - Posting AcceptEx on 0:110"


is there any mechanism to get rid of a caller after 3 bad attempts at login? I mean if he cant get get the username and password right after the third attempt block the ip or sending name for an hour or so?

there was only one connection and hundreds of attempts at a username and password.

thanks.
Windows XP
hmailserver (latest beta allways) (except db versions)
test config, trying to convince the boss to use hmail!
ASSP - front end SPam killer

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: attack! how cani stop it. Rset retrtying to auth again and a

Post by ^DooM^ » 2008-10-19 19:58

And it is coming from your network

192.168.1.2
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

minsik
Normal user
Normal user
Posts: 92
Joined: 2006-08-03 13:08
Location: South Australia

Re: attack! how cani stop it. Rset retrtying to auth again and a

Post by minsik » 2008-10-20 02:04

coming from my network. yes. its the assp proxy in the front that its passing through.

internet > assp port 25> Hmailserver port 9801 any connection appears as if from the 192.168.1.2 address.

assp passes connection to Hmailserver and tries to authenticate as normal, which this source is trying to do over and over again on the same connection.
I was just wondering if there was anything else to stop multiple retries on the same connection?
Perhaps i should drop assp for a while and see how it goes by itself? In assp logs i can see the ip address of the offender.

After 30 minutes he gave up and ran away. Interesting to see it happen, as its such an occaisional email server only when i have left the pc on. I Just use it for testing and learning on.

thanks.
Windows XP
hmailserver (latest beta allways) (except db versions)
test config, trying to convince the boss to use hmail!
ASSP - front end SPam killer

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: attack! how cani stop it. Rset retrtying to auth again and a

Post by ^DooM^ » 2008-10-20 02:32

Seems you need to tell ASSP to use tarpitting or it's equivalent to prevent this and ban users. hMail does have tarpitting but no easy way to blacklist IP's which would be useless in your case anyway as it's showing your network IP address.

fyi: it was trying to access the account named candy with the password of candy in your log snippet but as it was unsuccessful I would presume the password is secure if it has given up.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

ccernst
New user
New user
Posts: 3
Joined: 2009-06-10 06:57

Re: attack! how cani stop it. Rset retrtying to auth again a

Post by ccernst » 2012-01-18 09:26

^DooM^ wrote:Seems you need to tell ASSP to use tarpitting or it's equivalent to prevent this and ban users. hMail does have tarpitting but no easy way to blacklist IP's which would be useless in your case anyway as it's showing your network IP address.

fyi: it was trying to access the account named candy with the password of candy in your log snippet but as it was unsuccessful I would presume the password is secure if it has given up.
I know I'm bringing a thread up from the dead, but i've got the same issue going...except I found the attempt where he succeeded. Doom, may I PM you the log entries so you can tell me the account that was compromised? I have since re-passworded all accounts (only 8 of them...small non-profit)...hopefully that'll stop them for a bit.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: attack! how cani stop it. Rset retrtying to auth again a

Post by ^DooM^ » 2012-01-18 10:12

If at first you don't succeed, bomb disposal probably isn't for you! ヅ

Post Reply