I was looking at my maillog and it looks like someone is trying to get into my pop3 server. Dec 9 15:28:54 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9 15:29:08 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9 15:29:14 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9 15:29:18 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9 15:29:36 mailserver dovecot: pop3-login: Aborted login: user=<alfred>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 How worried should I bee about this? Any suggestions for dealing with it? Thanks, James
On Tue, Dec 09, 2008, James Pifer wrote:>I was looking at my maillog and it looks like someone is trying to get >into my pop3 server. > >Dec 9 15:28:54 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 >Dec 9 15:29:08 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 >Dec 9 15:29:14 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 >Dec 9 15:29:18 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 >Dec 9 15:29:36 mailserver dovecot: pop3-login: Aborted login: user=<alfred>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 > >How worried should I bee about this? Any suggestions for dealing with >it?If your users all have good passwords, it isn't much to worry about, but then users having good passwords is not all that common. Once the cracker finds an account with a guessable password, they may well be able to get access to your system as that user via ssh, webmin, usermin, or other means. Given shell access, the cracker can install user-level IRC servers or gain root access via exploits that only work for local users. I have seen cases where crackers were able to change user shells and other information via usermin or webmin by exploiting vulnerabilities in system utilities thus gaining access to the system. Setting all users shells to /bin/false where they don't need to have shell access helps towards securing the systems, although this may not be sufficient (I saw a system where /bin/false had been replaced with /bin/bash). You should also notify abuse at covad.com about these attempts from their network sending them the log entries with the your local time zone so they may be able to figure out which of there users was doing this. Bill -- INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax: (206) 232-9186 If you want government to intervene domestically, you're a liberal. If you want government to intervene overseas, you're a conservative. If you want government to intervene everywhere, you're a moderate. If you don't want government to intervene anywhere, you're an extremist -- Joseph Sobran
On Tue, Dec 9, 2008 at 2:17 PM, James Pifer <jep at obrien-pifer.com> wrote:> I was looking at my maillog and it looks like someone is trying to get > into my pop3 server. > > Dec 9 15:28:54 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 > Dec 9 15:29:08 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 > Dec 9 15:29:14 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 > Dec 9 15:29:18 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 > Dec 9 15:29:36 mailserver dovecot: pop3-login: Aborted login: user=<alfred>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 > > How worried should I bee about this? Any suggestions for dealing with > it?>From the log snippet, it does not appear to be a distributed attack.Block 66.167.184.203 at the router -- Jeff
On Tue, Dec 9, 2008 at 3:17 PM, James Pifer <jep at obrien-pifer.com> wrote:> I was looking at my maillog and it looks like someone is trying to get > into my pop3 server.<snip> About 5 or 6 years ago, I couldn't access my POP3 mail on my web site. When I contacted OLM Tech Support, they discovered that someone was trying to access the POP3, every second......> How worried should I bee about this? Any suggestions for dealing with > it?I'm not sure how they eliminated the problem. Hopefully, a much more knowledgeable person here will respond to you.
on 12-9-2008 12:17 PM James Pifer spake the following:> I was looking at my maillog and it looks like someone is trying to get > into my pop3 server. > > Dec 9 15:28:54 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 > Dec 9 15:29:08 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 > Dec 9 15:29:14 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 > Dec 9 15:29:18 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 > Dec 9 15:29:36 mailserver dovecot: pop3-login: Aborted login: user=<alfred>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 > > How worried should I bee about this? Any suggestions for dealing with > it? > > Thanks, > JamesYou can run something like fail2ban and write a rule to catch this. That way a couple of failures gets the ip address dropped into a firewall rule. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20081209/735af936/attachment-0003.sig>
On Dec 9, 2008, at 2:33 PM, Bill Campbell wrote:> Once the cracker finds an account with a guessable password, they > may well > be able to get access to your system as that user via ssh, webmin, > usermin, > or other means. Given shell access, the cracker can install user- > level IRC > servers or gain root access via exploits that only work for local > users. I > have seen cases where crackers were able to change user shells and > other > information via usermin or webmin by exploiting vulnerabilities in > system > utilities thus gaining access to the system.You can keep compromised accounts from logging in via ssh with the "AllowUsers" option in your /etc/ssh/sshd_config file. Add that option followed by a list of user names that you want to be able to log in, ex: # Only let Fred Guru and Joe Admin in, block anyone # else even if they have a valid password. AllowUsers fred joe And you should also set "PermitRootLogin no" while you are in sshd_config. Be sure to do a "service sshd restart" after you change the file, and do a test login _before_ you log out of your current session. Saves cursing and late night drives to remote servers in case sshd barfs somehow :-) --Chris
Chris Boyd wrote:> > You can keep compromised accounts from logging in via ssh with the > "AllowUsers" option in your /etc/ssh/sshd_config file. Add that > option followed by a list of user names that you want to be able to > log in, ex: > > # Only let Fred Guru and Joe Admin in, block anyone > # else even if they have a valid password. > AllowUsers fred joe > > And you should also set "PermitRootLogin no" while you are in > sshd_config. > > Be sure to do a "service sshd restart" after you change the file, and > do a test login _before_ you log out of your current session. Saves > cursing and late night drives to remote servers in case sshd barfs > somehow :-) > > --Chris >Nice tip - AllowUsers added to the Wiki page on securing SSH: http://wiki.centos.org/HowTos/Network/SecuringSSH Thanks! Ned
2008/12/9 James Pifer <jep at obrien-pifer.com>:> I was looking at my maillog and it looks like someone is trying to get > into my pop3 server. > > Dec 9 15:28:54 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2Do you really need pop3 exposed in the internet? You better open it only on localhost, and use a ssh channel to access it. Do not use ssh password authentication, but keys.
Toby Bluhm <tkb at alltechmedusa.com> wrote:> Or switch to postfix. I plunked "relayhost = smtp-server.roadrunner.com" > into main.cf & away it went.Having read the rest of the thread, I respond at the risk of furthering the flames. The sendmail configuration line is just as trivial: define('SMART_HOST','[smarthost.example.net]')dnl Check the quoting since the article uses matching left and right single quotes which is probably a figment of the editor used for writing the article. Here's the reference if you'd like more information: http://www.elandsys.com/resources/sendmail/smarthost.html Cheers, Dave -- Politics, n. Strife of interests masquerading as a contest of principles. -- Ambrose Bierce