1. Forum
  2. DOVE-Net
  3. Synchronet Discussion

  • smtp attack

    From Ragnarok@VERT/DOCKSUD to DOVE-Net.Synchronet_Discussion on Tuesday, March 31, 2020 16:09:17
    can you detect this attack? for throtle the smtp connection or log error
    + remote ip address to help to add a fail2ban rule ?

    thanks!



    Mar 31 16:07:15 scarlet synchronet: mail 0128 SMTP Session thread started
    Mar 31 16:07:15 scarlet synchronet: mail 0128 SMTP Connection accepted
    on port 25 from: 45.143.223.164 port 60809
    Mar 31 16:07:15 scarlet synchronet: mail 0128 SMTP DNSBL Query: 164.223.143.45.sbl.spamhaus.org
    Mar 31 16:07:15 scarlet synchronet: mail 0128 SMTP DNSBL Query: 164.223.143.45.sbl.spamhaus.org resolved to: 127.0.0.3
    Mar 31 16:07:15 scarlet synchronet: mail 0128 SMTP BLACKLISTED SERVER on sbl.spamhaus.org (see http://www.spamhaus.org/): <no name> [45.143.223.164] = 127.0.0.3
    Mar 31 16:07:15 scarlet synchronet: mail 0128 SMTP Session ID=14cf8023962f051dee29521
    Mar 31 16:07:16 scarlet synchronet: mail 0178 SMTP !ERROR 32 sending on
    socket
    Mar 31 16:07:16 scarlet synchronet: mail 0178 SMTP Socket closed by peer
    on receive
    Mar 31 16:07:16 scarlet synchronet: mail 0178 SMTP Session thread
    terminated (8 threads remain, 3817 clients served)
    Mar 31 16:07:16 scarlet synchronet: mail 0128 SMTP RX: EHLO ylmf-pc
    Mar 31 16:07:16 scarlet synchronet: mail 0128 SMTP RX: AUTH LOGIN
    Mar 31 16:07:16 scarlet synchronet: mail 0128 SMTP Socket closed by peer
    on receive
    Mar 31 16:07:16 scarlet synchronet: mail 0128 SMTP !missing AUTH LOGIN
    username argument
    Mar 31 16:07:16 scarlet synchronet: mail 0178 SMTP Session thread started
    Mar 31 16:07:16 scarlet synchronet: mail 0178 SMTP Connection accepted
    on port 25 from: 45.143.223.164 port 52049
    Mar 31 16:07:16 scarlet synchronet: mail 0178 SMTP DNSBL Query: 164.223.143.45.sbl.spamhaus.org
    Mar 31 16:07:16 scarlet synchronet: mail 0178 SMTP DNSBL Query: 164.223.143.45.sbl.spamhaus.org resolved to: 127.0.0.3
    Mar 31 16:07:16 scarlet synchronet: mail 0178 SMTP BLACKLISTED SERVER on sbl.spamhaus.org (see http://www.spamhaus.org/): <no name> [45.143.223.164] = 127.0.0.3
    Mar 31 16:07:16 scarlet synchronet: mail 0178 SMTP Session ID=14cfb25cfd1eba1dee30b55
    Mar 31 16:07:16 scarlet synchronet: mail 0188 SMTP !ERROR 32 sending on
    socket
    Mar 31 16:07:16 scarlet synchronet: mail 0188 SMTP Socket closed by peer
    on receive
    Mar 31 16:07:16 scarlet synchronet: mail 0188 SMTP Session thread
    terminated (8 threads remain, 3818 clients served)
    Mar 31 16:07:16 scarlet synchronet: mail 0178 SMTP RX: EHLO ylmf-pc
    Mar 31 16:07:17 scarlet synchronet: mail 0178 SMTP RX: AUTH LOGIN
    Mar 31 16:07:17 scarlet synchronet: mail 0178 SMTP Socket closed by peer
    on receive
    Mar 31 16:07:17 scarlet synchronet: mail 0178 SMTP !missing AUTH LOGIN
    username argument
    Mar 31 16:07:17 scarlet synchronet: mail 0188 SMTP Session thread started
    Mar 31 16:07:17 scarlet synchronet: mail 0188 SMTP Connection accepted
    on port 25 from: 45.143.223.164 port 60259
    Mar 31 16:07:17 scarlet synchronet: mail 0188 SMTP DNSBL Query: 164.223.143.45.sbl.spamhaus.org
    Mar 31 16:07:17 scarlet synchronet: mail 0188 SMTP DNSBL Query: 164.223.143.45.sbl.spamhaus.org resolved to: 127.0.0.3
    Mar 31 16:07:17 scarlet synchronet: mail 0188 SMTP BLACKLISTED SERVER on sbl.spamhaus.org (see http://www.spamhaus.org/): <no name> [45.143.223.164] = 127.0.0.3
    Mar 31 16:07:17 scarlet synchronet: mail 0188 SMTP Session ID=14cfbc1e13a4761dee3a7f0
    Mar 31 16:07:17 scarlet synchronet: mail 0188 SMTP RX: EHLO ylmf-pc
    Mar 31 16:07:18 scarlet synchronet: mail 0130 SMTP !ERROR 32 sending on
    socket
    Mar 31 16:07:18 scarlet synchronet: mail 0130 SMTP Socket closed by peer
    on receive
    Mar 31 16:07:18 scarlet synchronet: mail 0130 SMTP Session thread
    terminated (8 threads remain, 3819 clients served)
    Mar 31 16:07:18 scarlet synchronet: mail 0188 SMTP RX: AUTH LOGIN
    Mar 31 16:07:18 scarlet synchronet: mail 0188 SMTP Socket closed by peer
    on receive
    Mar 31 16:07:18 scarlet synchronet: mail 0188 SMTP !missing AUTH LOGIN
    username argument
    Copy mode aborted

    ---
    þ Synchronet þ Dock Sud BBS TLD 24 HS - bbs.docksud.com.ar
  • From Digital Man@VERT to Ragnarok on Tuesday, March 31, 2020 13:03:11
    Re: smtp attack
    By: Ragnarok to DOVE-Net.Synchronet_Discussion on Tue Mar 31 2020 04:09 pm

    can you detect this attack? for throtle the smtp connection or log error
    + remote ip address to help to add a fail2ban rule ?

    I think you're referring to this:

    Mar 31 16:07:16 scarlet synchronet: mail 0128 SMTP !missing AUTH LOGIN username argument

    These are counted as a login failure and the loginAttempt settings apply (hack-logging, auto-filtering). And the login attempt delay is applicable here as well, if configured.

    So... I'm not sure what you're asking for.

    digital man

    This Is Spinal Tap quote #38:
    Artie Fufkin: I'm not asking, I'm telling with this. Kick my ass.
    Norco, CA WX: 73.7øF, 34.0% humidity, 0 mph ENE wind, 0.00 inches rain/24hrs ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Ragnarok@VERT/DOCKSUD to Digital Man on Tuesday, March 31, 2020 17:51:39
    El 31/3/20 a las 17:03, Digital Man escribi¢:
    Re: smtp attack
    By: Ragnarok to DOVE-Net.Synchronet_Discussion on Tue Mar 31 2020 04:09 pm

    can you detect this attack? for throtle the smtp connection or log error
    + remote ip address to help to add a fail2ban rule ?

    I think you're referring to this:

    Mar 31 16:07:16 scarlet synchronet: mail 0128 SMTP !missing AUTH LOGIN username argument

    These are counted as a login failure and the loginAttempt settings apply (hack-logging, auto-filtering). And the login attempt delay is applicable here as well, if configured.

    So... I'm not sure what you're asking for.

    digital man
    Yes, but i do not see the !TEMPORARY BAN or Throttling as TELNET (just
    this 3 lines at all log)


    Mar 31 07:47:32 scarlet synchronet: term Node 1 Throttling suspicious connection from: 190.19.114.20 (5 login attempts)
    Mar 31 07:47:53 scarlet synchronet: term Node 2 Throttling suspicious connection from: 190.19.114.20 (7 login attempts)
    Mar 31 08:59:40 scarlet synchronet: term 0093 Telnet !TEMPORARY BAN of 45.224.41.9 (2 login attempts, last: Root) - remaining: 9:55
    Mar 31 13:45:09 scarlet synchronet: term 0096 Telnet !TEMPORARY BAN of 59.29.152.201 (2 login attempts, last: Root) - remaining: 9:56
    Mar 31 15:01:58 scarlet synchronet: term 0096 Telnet !TEMPORARY BAN of 181.210.88.2 (3 login attempts, last: Root) - remaining: 9:56


    you can see the smtp parts log here:

    http://test.bbs.docksud.com.ar/tmp/sbbs-smtp.txt

    my sbbs.ini setting are the dafault:

    LoginAttemptDelay = 5000


    LoginAttemptThrottle = 1000


    LoginAttemptHackThreshold = 10


    LoginAttemptFilterThreshold = 0


    LoginAttemptTempBanThreshold = 20


    LoginAttemptTempBanDuration = 600

    I guess that the login fail counter is not working over the smtp
    service. The hack.log and spam.log file are empty.

    ---
    þ Synchronet þ Dock Sud BBS TLD 24 HS - bbs.docksud.com.ar
  • From Digital Man@VERT to Ragnarok on Tuesday, March 31, 2020 16:25:10
    Re: Re: smtp attack
    By: Ragnarok to Digital Man on Tue Mar 31 2020 05:51 pm

    El 31/3/20 a las 17:03, Digital Man escribi¢:
    Re: smtp attack
    By: Ragnarok to DOVE-Net.Synchronet_Discussion on Tue Mar 31 2020 04:09 pm

    can you detect this attack? for throtle the smtp connection or log error
    + remote ip address to help to add a fail2ban rule ?

    I think you're referring to this:

    Mar 31 16:07:16 scarlet synchronet: mail 0128 SMTP !missing AUTH LOGIN username argument

    These are counted as a login failure and the loginAttempt settings apply (hack-logging, auto-filtering). And the login attempt delay is applicable here as well, if configured.

    So... I'm not sure what you're asking for.

    digital man
    Yes, but i do not see the !TEMPORARY BAN or Throttling as TELNET (just
    this 3 lines at all log)


    Mar 31 07:47:32 scarlet synchronet: term Node 1 Throttling suspicious connection from: 190.19.114.20 (5 login attempts)
    Mar 31 07:47:53 scarlet synchronet: term Node 2 Throttling suspicious connection from: 190.19.114.20 (7 login attempts)
    Mar 31 08:59:40 scarlet synchronet: term 0093 Telnet !TEMPORARY BAN of 45.224.41.9 (2 login attempts, last: Root) - remaining: 9:55
    Mar 31 13:45:09 scarlet synchronet: term 0096 Telnet !TEMPORARY BAN of 59.29.152.201 (2 login attempts, last: Root) - remaining: 9:56
    Mar 31 15:01:58 scarlet synchronet: term 0096 Telnet !TEMPORARY BAN of 181.210.88.2 (3 login attempts, last: Root) - remaining: 9:56


    you can see the smtp parts log here:

    http://test.bbs.docksud.com.ar/tmp/sbbs-smtp.txt

    my sbbs.ini setting are the dafault:

    LoginAttemptDelay = 5000
    LoginAttemptThrottle = 1000
    LoginAttemptHackThreshold = 10
    LoginAttemptFilterThreshold = 0
    LoginAttemptTempBanThreshold = 20
    LoginAttemptTempBanDuration = 600

    In which section(s) of the .ini file are those values? Each section (e.g. [mail]) can have over-rides of the defaults specified in the [globa] section.

    I guess that the login fail counter is not working over the smtp
    service. The hack.log and spam.log file are empty.

    It's certainly working for me:
    $ grep -c SMTP /sbbs/data/hack.log
    51184

    $ grep -c SMTP /sbbs/data/spam.log
    190513

    But the spam.log has nothing to with LoginAttempt's.

    digital man

    This Is Spinal Tap quote #1:
    Nigel Tufnel: These go to eleven.
    Norco, CA WX: 73.3øF, 43.0% humidity, 9 mph ENE wind, 0.00 inches rain/24hrs ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Digital Man@VERT to Rampage on Tuesday, March 31, 2020 16:27:49
    Re: Re: smtp attack
    By: Rampage to Ragnarok on Tue Mar 31 2020 06:26 pm

    i'm using the following...

    LoginAttemptDelay = 5000
    LoginAttemptThrottle = 1000
    LoginAttemptHackThreshold = 2
    LoginAttemptFilterThreshold = 3
    LoginAttemptTempBanThreshold = 3
    LoginAttemptTempBanDuration = 10M

    When your FilterThreshold is <= your TempBanThreshold, you're effectively disabling the temp-ban feature (and just going straight to permanent filtering). Just an FYI.

    digital man

    This Is Spinal Tap quote #11:
    Nigel Tufnel: No. no. That's it, you've seen enough of that one.
    Norco, CA WX: 73.3øF, 43.0% humidity, 9 mph ENE wind, 0.00 inches rain/24hrs ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Rampage@VERT/SESTAR to Ragnarok on Tuesday, March 31, 2020 18:26:13
    Re: Re: smtp attack
    By: Ragnarok to Digital Man on Tue Mar 31 2020 17:51:39


    Ragnarok> my sbbs.ini setting are the dafault:
    Ragnarok> LoginAttemptDelay = 5000
    Ragnarok> LoginAttemptThrottle = 1000
    Ragnarok> LoginAttemptHackThreshold = 10
    Ragnarok> LoginAttemptFilterThreshold = 0
    Ragnarok> LoginAttemptTempBanThreshold = 20
    Ragnarok> LoginAttemptTempBanDuration = 600

    i'm using the following...

    LoginAttemptDelay = 5000
    LoginAttemptThrottle = 1000
    LoginAttemptHackThreshold = 2
    LoginAttemptFilterThreshold = 3
    LoginAttemptTempBanThreshold = 3
    LoginAttemptTempBanDuration = 10M

    and they're banned to ip.can pretty quickly as are the telnet and ssh bots...

    why let them beat on your machine for such a long time? block'em and be done with'em real quick... no need to subject your machine to beatings like that ;)


    )\/(ark

    ---
    þ Synchronet þ The SouthEast Star Mail HUB - SESTAR
  • From Rampage@VERT/SESTAR to Digital Man on Tuesday, March 31, 2020 19:56:13
    Re: Re: smtp attack
    By: Digital Man to Rampage on Tue Mar 31 2020 16:27:49


    When your FilterThreshold is <= your TempBanThreshold, you're
    effectively disabling the temp-ban feature (and just going
    straight to permanent filtering). Just an FYI.

    yeah, i forgot to mention that ;)

    it works quite well, too... and i've even crafted IDS rules to catch the messages from sbbs going back to the offending IP and initiate a block of said IP almost instantly... the net result is they fail, sbbs tells them, and my IP effectively disappears from the internet for them as all their traffic is dropped directly into the bitbucket at my perimeter firewall and sbbs doesn't have to mess with them any more :LOL:


    )\/(ark

    ---
    þ Synchronet þ The SouthEast Star Mail HUB - SESTAR