1. Forum
  2. Usenet
  3. COMP.MAIL.MISC

  • Brute-forcing email accounts

    From Hans-Georg Michna@21:1/5 to All on Fri Oct 7 12:56:21 2016
    My mail server, running postfix and courier-imap etc., is
    continuously under attack from sources trying to brute-force
    email accounts. They guess, often correctly, the email addresses
    and try different passwords.

    So far they have been largely unsuccessful, with one sad
    exception, but I am asking myself whether there is not a
    relatively simple defense. Perhaps the attacking IP address
    could be blocked for some time after three unsuccessful logon
    attempts.

    Of course I keep reminding my mail users to use sufficiently
    complex passwords, but I cannot force them.

    My server runs under Plesk, and my knowledge of Linux is
    superficial. There is always hope, of course, that Plesk one day
    improves resistance against cyberattacks.

    Any hints are welcome.

    Hans-Georg

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Ivan Shmakov@21:1/5 to if Cracklib on Fri Oct 7 11:13:30 2016
    Hans-Georg Michna <[email protected]> writes:

    My mail server, running postfix and courier-imap etc., is
    continuously under attack from sources trying to brute-force email
    accounts. They guess, often correctly, the email addresses and try different passwords.

    So far they have been largely unsuccessful, with one sad exception,
    but I am asking myself whether there is not a relatively simple
    defense. Perhaps the attacking IP address could be blocked for some
    time after three unsuccessful logon attempts.

    As stated, this problem looks like something Fail2ban can help
    you with. See http://www.fail2ban.org/.

    Of course I keep reminding my mail users to use sufficiently complex passwords, but I cannot force them.

    Actually, you can. For example, if your ESMTPSA and IMAPS
    services use PAM for authentication, you can configure it to
    check the new password with pam_cracklib and disallow the change
    if Cracklib says it's "weak."

    My server runs under Plesk, and my knowledge of Linux is superficial.

    JFTR, I have no knowledge of Plesk whatsoever myself, so if
    there's anything specific to it, I'd hardly be of any help.

    [...]

    --
    FSF associate member #7257 58F8 0F47 53F5 2EB2 F6A5 8916 3013 B6A0 230E 334A

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bruce Esquibel@21:1/5 to Hans-Georg Michna on Fri Oct 7 21:40:56 2016
    Hans-Georg Michna <[email protected]> wrote:

    My server runs under Plesk, and my knowledge of Linux is
    superficial. There is always hope, of course, that Plesk one day
    improves resistance against cyberattacks.

    It's time to get your hands dirty and quit relying on those stupid control panels.

    Both of these work wonders, protects the sshd, imap, pop and smtp with or without ssl/tls support.

    Once an attacker from the same ip address enters 4 or 5 bad password, it's locked out. For how long is adjustable.

    http://www.aczoom.com/blockhosts/

    http://www.sshguard.net

    But here is the run down, blockhosts is probably obsolete unless you use
    it with iptables. It used to be dumb simple to install using the hosts.deny
    and hosts.allow files, but the recent changes to ssh/ssl, they don't support the tcpwrappers anymore, so it's iptables or nothing.

    The sshguard works well for a replacement but is difficult to get going.
    Unlike blockhosts, adding in or modifying the rules (how it parses the log files) isn't there. For solaris I ended up using a combination of the native syslog and syslog-ng.

    Both will require an understanding of parsing log files and how to setup and make rules for the firewall. It's a steep, complicated hill to climb.

    But when you get them to fire up, they pretty much are maintenance free.
    They clean up themselves over time (take out dead or expired entries). Only reason to poke a stick at them is if an idiot user sets up a new device and "thinks" they know what the password is. You have to figure it out and put
    in an exception but it's no big deal.

    The blockhosts pretty much works on anything that has python on it, the sshguard will need to be compiled to the box it's going to work. If you don't know how to compile software, add that to the list of stuff to learn.

    Good luck.

    -bruce
    [email protected]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Hans-Georg Michna@21:1/5 to All on Mon Oct 10 18:32:57 2016
    Thanks for the hints! I have once tried to understand iptables
    and have more or less failed.

    It seems I can only do my best to make my users choose good
    passwords and hope that my server keeps efficiently deflecting
    the attacks.

    Hans-Georg

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)