How to stop server atack

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
nurimaso
Normal user
Normal user
Posts: 195
Joined: 2007-02-21 14:22

How to stop server atack

Post by nurimaso » 2014-07-07 11:49

Hi,
I detected that someone is trying to use a client server as spam sender.

I'm checking logs and it shows several times lines as:

"SMTPD" 3272 2479 "2014-07-07 09:25:48.769" "196.46.142.79" "RECEIVED: AUTH LOGIN"
"SMTPD" 3272 2479 "2014-07-07 09:25:48.769" "196.46.142.79" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 2532 2479 "2014-07-07 09:25:49.175" "196.46.142.79" "RECEIVED: ZXJpY0AxODcuMTc3LjIxNi44Ny5zdGF0aWMuamF6enRlbC5lcw=="
"SMTPD" 2532 2479 "2014-07-07 09:25:49.175" "196.46.142.79" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 2876 2479 "2014-07-07 09:25:49.503" "196.46.142.79" "RECEIVED: ***"
"SMTPD" 2876 2479 "2014-07-07 09:25:49.519" "196.46.142.79" "SENT: 535 Authentication failed. Restarting authentication process."


Using Bse 64 decoder some of the accounts used are:

jean@187.177.216.87.static.jazztel.es
james@187.177.216.87.static.jazztel.es
jennifer@187.177.216.87.static.jazztel.es
eric@187.177.216.87.static.jazztel.es

In IP ranges autoban there is some text as:

Auto-ban:eugene 95.228.84.117 20 07/07/2014 11:47:07
Auto-ban:eugene(1) 95.228.84.117 20 07/07/2014 11:47:07
Auto-ban:eugene(2) 184.183.180.98 20 07/07/2014 11:47:08
Auto-ban: files 187.11.135.43 20 07/047/2014 12:17:38

How can I control this so they can use account to sent spam.

One more think. Is it possible thta HMS use the computer time?

Thanks

User avatar
SorenR
Senior user
Senior user
Posts: 3214
Joined: 2006-08-21 15:38
Location: Denmark

Re: How to stop server atack

Post by SorenR » 2014-07-07 12:03

SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: How to stop server atack

Post by percepts » 2014-07-07 12:19

the autoban would only ban the IP number making the failed attempts and not the IP number of the user. So your users should still be able to use their accounts without you needing to do anything.

If its one of your own users trying to send spam then track down which machine the banned IP is from and you should be able to find out who is doing it.

nurimaso
Normal user
Normal user
Posts: 195
Joined: 2007-02-21 14:22

Re: How to stop server atack

Post by nurimaso » 2014-07-07 12:22

I know but what I want is to block definitivelly the ips that atack the server so they can atack again.

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: How to stop server atack

Post by percepts » 2014-07-07 12:24

change your autoban settings. I have mine set to ban for one year.

OR

when you look at these bans you can untick the "Expires" check box (you could write scheduled script to do this)

OR

Otherwise you have a manual operation to add the IPs to a list to ban via script in your OnClientConnect Sub.

e.g.

Code: Select all

  If (oClient.IPAddress = "111.222.333.444" ) Then 
   Result.Value = 1
  End if
I think what Soren is refering to is that you could set your client sending port to be a non standard port and reject any attempt to auth on any other port. Most automated attempts to auth will be on one of the standard ports (25 or 587) but if you require for example, 40, then anyone not using 40 would be rejected.

User avatar
SorenR
Senior user
Senior user
Posts: 3214
Joined: 2006-08-21 15:38
Location: Denmark

Re: How to stop server atack

Post by SorenR » 2014-07-07 12:37

nurimaso wrote:I know but what I want is to block definitivelly the ips that atack the server so they can atack again.
The attacks are coming from a number of massive BOT networks - thousands, if not millions of pc's left unprotected and not updated with the latest security fixes.

Either you adjust your Auto-Ban settings to exclude indefinetely - and build a list miles long - or do like the rest of us, block what you can and live with it. Complex passwords are the way to go, passwords like "12345", "qwerty" and "password" are NOT good enough anymore...

Location based blocking.
http://www.hmailserver.com/forum/viewto ... 20&t=16679
http://www.hmailserver.com/forum/viewto ... 20&t=26408
http://www.hmailserver.com/forum/viewto ... 20&t=26672

Blocking unauthorised users...
http://www.hmailserver.com/forum/viewto ... 117#p68117

And... Bill's experimental versions as I linked to earlier..
http://www.hmailserver.com/forum/viewto ... 35#p161235

Just some of the things you can do if you search through the forum.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

nurimaso
Normal user
Normal user
Posts: 195
Joined: 2007-02-21 14:22

Re: How to stop server atack

Post by nurimaso » 2014-07-07 13:15

ok, thank you

bert-ks
New user
New user
Posts: 14
Joined: 2011-02-02 13:56
Location: Lockyer Valley, QLD, AU

Re: How to stop server atack

Post by bert-ks » 2014-07-15 01:34

I had the same problem and got massive attacks trying to hack into my accounts.

I changed the settings in Auto-Ban to
Max. invalid logon attempts: 1
Minutes before reset: 1
Minutes to auto-ban: 10080 (7 days)

This helped dramatically reducing the login attempts by almost 100%. Just make sure all your devices are correctly setup as they will be banned as well when using the wrong credentials and you have to manually delete the IP range for this user until it's been setup correctly.

The logfile size for just SMTP went down from 1.3MB/day to under 80kB/day

Hope that helps...

Cheers,
Bert

nurimaso
Normal user
Normal user
Posts: 195
Joined: 2007-02-21 14:22

Re: How to stop server atack

Post by nurimaso » 2014-07-15 08:24

I think that I didn't understand auto-ban configuration then.

I noticed that I understand de fields content in reverse.

Thank you for your comments.

bert-ks
New user
New user
Posts: 14
Joined: 2011-02-02 13:56
Location: Lockyer Valley, QLD, AU

Re: How to stop server atack

Post by bert-ks » 2014-07-15 08:32

just press the Help button on the Auto-Ban site and it's been explained well. I was confused as well before and did some testing with this and it has worked very well...

Post Reply