Re: [exim] Closing off Port to non-SSL traffic

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Slavko (tblt)
Dátum:  
Címzett: 'Mailing List'
Tárgy: Re: [exim] Closing off Port to non-SSL traffic
Dňa 25. júna 2022 15:11:34 UTC používateľ Sebastian Nielsen via Exim-users <exim-users@???> napísal:

>They seem to use wordlists to hack the password.


Next week will be one year, from distributed attack to my email system starts,
and it is still ongoing. The year is enough time to do with (against) it, but of
course i cannot stop it. I can only guess, that it is from multiple relative independed
botnets, as i have no power investigate in depth.

They all seems to use harvested email addresses as i see a lot of login attempts
to email aliases, but most significant part are logins with XMPP accounts (JID
-- Jabber ID), which looks as email address, but in my case never had email
accounts (they was JIDs used for remote teaching at COVID's lockdowns), thus
i do not need to afraid about attack success. Only very small part of this attack
used real mail accounts.

Initially i even watch on passwords, but the attempts looks as dictionary
variations of one (per login) password. But these accounts was removed from
server in that time, thus i cannot tell, if they get real passwords with these JIDs,
but it is possible... I then stop to watch them.

I use 465 (and 993/995) with implicit TLS only (for users) more than two years,
small part of attack was filtered by setting TLS1.2+ as requirement, without DHE+RSA
and plain RSA, but that doesn't help mutch.

Relative quickly i understand, tha fail2ban will not helps with it, as any host tried
AUTH only once, and returns only occassionaly. If they returns, it was after relative
long time, in days or even weeks (i store its IPs for some months).

Then i start to collect its ASNs & IP networks, to see if i can block that. But without luck,
they comes from different providers and while some ASNs repeats, it was not significant
number.

Then i start collect its countries and finally i found pattern -- the US, BR, AR, IN are
biggest part of it. There are other countries involved too, including my own, but thay are
occasional. I was initially against country blocking, but no other pattern in attacking IPs.
I afraid to country block mostly because my users are from in countries and often
travel, but by per user BL/WL it is acceptable (at least for me).

Then i go into real blocking. As i use dovecot's SASL for SMTP login, i decided to use
blocking on the dovecot side, to have them blocked not only for SMTP, but for IMAP
and POP3 too. I found that dovecot supports policy daemon, thus i start to play with
weakforce (from PowerDNS or so), it looks very good and provides nice functions
for per user, per IP or per country counting of failed/success logins and automatically
block eg. account from too many IPs (leaked passwords).

After i learn to setup and use it i found, that i was not able to build one of its dependencies
(and thus to build it self) on oldstable Debian, on which my email system runs at that time...
Then i start to develop own policy daemon. Is not as poweful as weakforced, i wrote
it in python (and flask) and uses redis as storage, but works great for my small email
system for more months. For now it provides:

+ global country (GeoIP2) BL with per user WL (no UI)
+ global IP and users BL/WL
+ configurable DNS RBL fír blocking
+ success login IP counting with auto users BL (as leaked passwords action)

I initialy used relative long list of RBLs (they are queried async, thus no problem),
but after some months i reduced it, as some provided false positives (as i
mentioned in other post already).

It itself doesn't blocks IP (only delays/rejects logins), but i use strict fail2ban's jail,
which adds every block from its log to ipset, where IPs are blocked for about 24
days (max ipset's timeot) and its timeout is reset by any attemt in that time by
iptables. Today that ipset has about 2200 IPs, the maximum was about 4500
at once.

To be honest, most of attempts i block by country (from the same redis BL)
directly in exim at connect time yet (as i initially afraid about my policy daemon
performance and resource usage), but it survived multiple bursts from not
blocked countries already, thus after i finish (ongoing) services migration to new
HW i will rely only on dovecot's policy daemon, as on exim's side is per user
WL missing.

To get country in exim i initally used shell script to query Maxmind DB, but now
i use GeoIP dlfunc which i found on github and exim queries redis's BL. I found
no one (as mentioned) DNS RBL providing country info for IPv6, thus they are
not useful for me (while current attack is IPv4 only).

Beside this, i start to distribute fail2ban block between my MX and MSA,
as they are serated, by using small python daemon subscribed to redis's
PubSub. It is not very usefull in this attack, as only some IPs are accesing
both, the 465 and 25 ports yet, but it is nice to have ;-)

After initial (when this attack starts) wondering, i now only look at daily logwatch
reports, that all works as expected and i only count how many IPs was blocked.
Because i do not know, if my leaked password protection works, as i didn't meet
it yet, i watch login counts, if they are in usual...

Finally, after i finish mentioned migration, i have plan to build honeypot for
SMTP/IMAP/POP connections over plain ports with STARTTLS, as i do not
offer them to clients, which will use the same user/passwords as real service
but will reject all (including success) logins, and will report (block) the success
one, but it is only idea yet...

I am writing this on my tablet now, thus i have no links here, but if anyone
is interested, i can provide them latter, when i will be on PC...

regards

--
Slavko