Brute Force Dictionary Attack on Dovecot: Difference between revisions

From Free Knowledge Base- The DUCK Project
Jump to navigation Jump to search
Newer edit →
Created page with "In a brute force dictionary attack, a remote host attempts to connect using common phrases for username and password, connecting and trying combinations as fast as possible, u..."
 
No edit summary
Line 3: Line 3:
The most common brute force dictionary attack against Dovecot is continuous connections to port 25, the port responsible for listening to incoming mail, and connections from clients attempting to send mail.  
The most common brute force dictionary attack against Dovecot is continuous connections to port 25, the port responsible for listening to incoming mail, and connections from clients attempting to send mail.  


ENTRIES FROM: secure (log)
messages


  Dec 27 03:50:35 lvps83 saslauthd[6120]: do_auth : auth failure: [user=james] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
  Feb  6 22:21:24 mailserver01 saslauthd[1150]: do_auth         : auth failure: [user=summer] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
  Dec 27 03:50:35 lvps83 saslauthd[6122]: do_auth : auth failure: [user=james] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
  Feb  6 22:21:24 mailserver01 saslauthd[1149]: do_auth         : auth failure: [user=summer] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]


The above lines are from saslauthd, there must be lines from postfix as well and they contain the IP address of the attacker.
secure
 
Feb  6 22:21:22 mailserver01 saslauthd[1150]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Feb  6 22:21:22 mailserver01 saslauthd[1150]: pam_succeed_if(smtp:auth): error retrieving information about user summer
Feb  6 22:21:22 mailserver01 saslauthd[1149]: pam_unix(smtp:auth): check pass; user unknown
Feb  6 22:21:22 mailserver01 saslauthd[1149]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Feb  6 22:21:22 mailserver01 saslauthd[1149]: pam_succeed_if(smtp:auth): error retrieving information about user summer
 
maillog
 
Feb  6 22:21:24 mailserver01 postfix/smtpd[16812]: warning: s15449723.onlinehome-server.com[74.208.17.177]: SASL LOGIN authentication failed: authentication failure
Feb  6 22:21:24 mailserver01 postfix/smtpd[16814]: warning: s15449723.onlinehome-server.com[74.208.17.177]: SASL LOGIN authentication failed: authentication failure
 
It is a shortcoming of postfix/dovecot/sasl that the IP address of the attacker is not stored in the messages log or the secure log.  Also, the only way to match entries from either of those two logs against the maillog is by the timestamp.  This is problematic on a server with a great deal of mail activity. 
 
It would be nice if the IP address was in the messages or secure log, or if there was a key value that could be used to match exactly with the correct entries in maillog.

Revision as of 22:59, 6 February 2014

In a brute force dictionary attack, a remote host attempts to connect using common phrases for username and password, connecting and trying combinations as fast as possible, until either entry is achieved by a match, or the overload system experiences an overflow resulting in breach.

The most common brute force dictionary attack against Dovecot is continuous connections to port 25, the port responsible for listening to incoming mail, and connections from clients attempting to send mail.

messages 

Feb  6 22:21:24 mailserver01 saslauthd[1150]: do_auth         : auth failure: [user=summer] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Feb  6 22:21:24 mailserver01 saslauthd[1149]: do_auth         : auth failure: [user=summer] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

secure 

Feb  6 22:21:22 mailserver01 saslauthd[1150]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
Feb  6 22:21:22 mailserver01 saslauthd[1150]: pam_succeed_if(smtp:auth): error retrieving information about user summer
Feb  6 22:21:22 mailserver01 saslauthd[1149]: pam_unix(smtp:auth): check pass; user unknown
Feb  6 22:21:22 mailserver01 saslauthd[1149]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
Feb  6 22:21:22 mailserver01 saslauthd[1149]: pam_succeed_if(smtp:auth): error retrieving information about user summer

maillog 

Feb  6 22:21:24 mailserver01 postfix/smtpd[16812]: warning: s15449723.onlinehome-server.com[74.208.17.177]: SASL LOGIN authentication failed: authentication failure
Feb  6 22:21:24 mailserver01 postfix/smtpd[16814]: warning: s15449723.onlinehome-server.com[74.208.17.177]: SASL LOGIN authentication failed: authentication failure

It is a shortcoming of postfix/dovecot/sasl that the IP address of the attacker is not stored in the messages log or the secure log. Also, the only way to match entries from either of those two logs against the maillog is by the timestamp. This is problematic on a server with a great deal of mail activity.

It would be nice if the IP address was in the messages or secure log, or if there was a key value that could be used to match exactly with the correct entries in maillog.

Retrieved from "http://wiki.robotz.com/index.php?title=Brute_Force_Dictionary_Attack_on_Dovecot&oldid=8123"