Getting a little bruteforce attack, how to block it

Use this forum if you want to discuss a problem or ask a question related to a hMailServer beta release.
sanja
New user
New user
Posts: 2
Joined: 2016-10-05 13:33

Getting a little bruteforce attack, how to block it

Postby sanja » 2016-10-05 13:47

hello hmailserver community,

i had installed hmail server and configured everything and everything is working correctly. now, i have looked at my server's SMTP log and i can find out the brute force attack was initiated to server but it wasn't went through because of STARTTLS and here is a footprint of attack's log,

attacker -> connected to smtp
server -> replied with 220 status
attacker -> HELO
server -> replied with 250 status
attacker -> AUTH LOGIN
server -> replied with 530 Must issue STARTTLS first.
attacker -> QUIT
server -> replied with 221 goodbye

So, attacker went off simply after 530 status message sent from server.

Now, my question, Is there anyway to block ip in this case automatically ?

i am using STARTTLS on port 25 and above attack is on it. So, guide me through out about all the possible way to prevent above attack.

thanks

User avatar
SorenR
Senior user
Senior user
Posts: 2327
Joined: 2006-08-21 15:38
Location: Denmark

Re: Getting a little bruteforce attack, how to block it

Postby SorenR » 2016-10-05 13:55

sanja wrote:hello hmailserver community,

i had installed hmail server and configured everything and everything is working correctly. now, i have looked at my server's SMTP log and i can find out the brute force attack was initiated to server but it wasn't went through because of STARTTLS and here is a footprint of attack's log,

attacker -> connected to smtp
server -> replied with 220 status
attacker -> HELO
server -> replied with 250 status
attacker -> AUTH LOGIN
server -> replied with 530 Must issue STARTTLS first.
attacker -> QUIT
server -> replied with 221 goodbye

So, attacker went off simply after 530 status message sent from server.

Now, my question, Is there anyway to block ip in this case automatically ?

i am using STARTTLS on port 25 and above attack is on it. So, guide me through out about all the possible way to prevent above attack.

thanks

Create a second port (587 or 465) for client use with TLS/SSL and insert DisableAUTHList=25 under [Settings] in hmailserver.ini ... Doing this make port 25 "inter-server communication" only. :mrgreen:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

sanja
New user
New user
Posts: 2
Joined: 2016-10-05 13:33

Re: Getting a little bruteforce attack, how to block it

Postby sanja » 2016-10-05 14:18

okey, i did it and i can see server is now sending 504 Authentication not enabled message to client.. its like solved but is there any way to track ips that are trying to AUTH and block those ips ?

thanks

User avatar
mattg
Moderator
Moderator
Posts: 17596
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Getting a little bruteforce attack, how to block it

Postby mattg » 2016-10-05 14:46

Only by checking logs and then blocking at your firewall
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 2327
Joined: 2006-08-21 15:38
Location: Denmark

Re: Getting a little bruteforce attack, how to block it

Postby SorenR » 2016-10-05 14:58

sanja wrote:okey, i did it and i can see server is now sending 504 Authentication not enabled message to client.. its like solved but is there any way to track ips that are trying to AUTH and block those ips ?

thanks

It will go away eventually... The Black Hat community and the SPAM community often take some time to discover they are wasting resources so eventually your IP will be pulled out of the "official" databases.

When I initially did it on my (very) small server I experienced multiple attacks almost every day ... Now I see attempts once or twice per month.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.


Return to “Development & alpha discussions”



Who is online

Users browsing this forum: No registered users and 4 guests