Limit login to localhost

Questions and answers about how to do stuff
Post Reply
ajmind
Posts: 53
Joined: 28 Mar 2017 15:26

Limit login to localhost

Post by ajmind »

My eFa box is only used as an e-mail gateway, so no user is login at all, except myself via ssh or https.

In /var/log/secure I see many external login attempts.

Code: Select all

Aug 16 12:00:04 IT1MAILGW1 auth: pam_unix(dovecot:auth): check pass; user unknown
Aug 16 12:00:04 IT1MAILGW1 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=test03 rhost=141.98.11.112
Aug 16 12:00:12 IT1MAILGW1 auth: pam_unix(dovecot:auth): check pass; user unknown
Aug 16 12:00:12 IT1MAILGW1 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=facebook rhost=141.98.11.17
Aug 16 12:01:02 IT1MAILGW1 auth: pam_unix(dovecot:auth): check pass; user unknown
Aug 16 12:01:02 IT1MAILGW1 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=message rhost=141.98.10.194
Aug 16 12:01:20 IT1MAILGW1 auth: pam_unix(dovecot:auth): check pass; user unknown
Aug 16 12:01:20 IT1MAILGW1 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=program rhost=91.224.92.110

So my question is, how to disable these (external) login attempts?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Limit login to localhost

Post by pdwalker »

Ask yourself where are the login attempts coming from and what program are they trying to connect to?

Answer: dovecot.

dovecot is the imap and pop server process that manages mailboxes for external users. It also provides user authentication for smtp connections.

So have a look at your /var/log/messages and search for one of those IP addresses. What you will find is a series of attempts to use smtp authentication. For example, in my logs I can see the following:

/var/log/secure
Aug 16 00:17:53 efa4 auth: pam_unix(dovecot:auth): check pass; user unknown
Aug 16 00:17:53 efa4 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=ian rhost=141.98.11.17
/var/log/messages
Aug 16 00:17:50 efa4 postfix/smtpd[16692]: connect from unknown[141.98.11.17]
Aug 16 00:17:51 efa4 postfix/smtpd[16692]: Anonymous TLS connection established from unknown[141.98.11.17]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug 16 00:17:57 efa4 postfix/smtpd[16692]: warning: unknown[141.98.11.17]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
which seems pretty clear to me that someone is either trying to guess accounts/passwords, or use my smtp server to send spam. Either way, that's unacceptable.

If I want to stop this, then I cannot block smtp connections as that would be rather counter productive, so the best thing to do is to look for these repeated entries (notice that I am getting the connection attempts from the same network you are getting connection attempts from?) and then firewall them individually.

How do we do that? Fail2Ban!

I've already configured Fail2Ban to watch for and block anyone making multiple failed authentication attempts from the same IP, so they get a few free guesses before I firewall those assholes.

/var/log/fail2ban
2022-08-16 00:17:57,428 fail2ban.filter [1779]: INFO [postfix-sasl] Found 141.98.11.17 - 2022-08-16 00:17:57
2022-08-16 00:17:57,582 fail2ban.actions [1779]: NOTICE [postfix-sasl] Ban 141.98.11.17
Fail2ban then adds that asshole to the firewall

iptables --list -n
0114 Chain f2b-postfix-sasl (1 references)
0115 target prot opt source destination
[snip]
1512 REJECT all -- 141.98.11.17 0.0.0.0/0 reject-with icmp-port-unreachable
And that is how you deal with this problem. The solution is not perfect, but it is a good hardening step.

(my local efa firewall has about 1500 blocked hosts at the moment)
User avatar
Aryfir
Posts: 21
Joined: 04 Sep 2020 13:52

Re: Limit login to localhost

Post by Aryfir »

Just want to make clear here, since the op said that he use EFA as a mail gateway.

I use efa pure as a mail gateway (with 8 mailserver behind) and open port to the outside world is based on https://wiki.efa-project.org/doku.php?id=firewall_ports, and for 2 years i've never saw log report like that before.

In my setup, EFA is behind router NAT and only port forward SMTP port 25, and there is non POP3 or IMAP port open.

Try to open port only from wiki, and see what will happen.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Limit login to localhost

Post by pdwalker »

my server only allows the three smtp ports open

the authentication attempts are happening over smtp.

dovecot is just acting as the authenticator.
ajmind
Posts: 53
Joined: 28 Mar 2017 15:26

Re: Limit login to localhost

Post by ajmind »

dovecot is just acting as the authenticator.
That was my point were I was struggeling a bit. As I use the eFa box only as the external gateway it was not clear to me why dovecot with POP3 and IMAP capability is here involved.

Now I know it :-)

And yes, the solution is fail2ban which I am using too. However, I had to modify the postfix-sasl jail due to the heavy brute-force attack occured these days.

Thank you for your reply and clarification! :clap:
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Limit login to localhost

Post by pdwalker »

What changes did you make to your postfix-sasl jail configuration?

I was looking through the configuration and I noticed that there is a way to integrated it with blocklist.de, a fail2ban reporting site. The idea is, if multiple people are reporting the same ips, then everyone can get the benefit of getting an updated blocklist, perhaps a little faster.

I'm still working out how to enable it on my installation.
User avatar
Aryfir
Posts: 21
Joined: 04 Sep 2020 13:52

Re: Limit login to localhost

Post by Aryfir »

Interesting, and please bear with me guys. I dont understand this "dovecot is just acting as the authenticator" to the EFA Box.

In my mind it come across of another concept of how to protect EFA Box or secure sent/received email from sentence above, or there is another concept of that?

In my settings of EFA, all my mailserver receive and send to EFA box only, so i get advantages of EFA to block spam/virus even from my internal mail server (and this mean no POP3, IMAP and SMTP port open except port 25)

Submision Port, POP3 and IMAP is exclusively handle by mailserver (not EFA Box) to user email client

BTW, i use small mikrotik box (As NAT/Firewall Router) to pull blocklist.de, firehole-1 and firehole-2 list...and it really does the job
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Limit login to localhost

Post by pdwalker »

postfix doesn't do sasl authentication. Instead, it hands it off to another program: http://www.postfix.org/SASL_README.html ... asl_enable

If you look in your /etc/postfix/master.cf, you will see that the submission process has the following parameters (or it does on mine):
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$myhostname
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_login_maps=hash:/etc/postfix/virtual
-o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
This is why dovecot is being used, and why we are seeing the sasl authentication errors in the logs, especially if you allow sasl authentication.

This has nothing to do with imap or pop. Does that make sense to you now?
ajmind
Posts: 53
Joined: 28 Mar 2017 15:26

Re: Limit login to localhost

Post by ajmind »

pdwalker wrote: 17 Aug 2022 12:26 What changes did you make to your postfix-sasl jail configuration?
In my eFa.local jail:

Code: Select all

[DEFAULT]
blocklist_de_apikey = after registered at blocklist.de available and after you have registered your server!
destemail = myemail@domain.com = recipient to receive local notification of service status
sendermail =another@domain.com = sender
ignoreip = 127.0.0.1/8 192.168.1.0/24
bantime = 7d
# bantime = 604800
findtime = 3h
# findtime = 10800

maxretry = 3
backend = auto
usedns = warn

[sshd]
enabled = true

[postfix-sasl]
enabled = true
#filter = postfix[mode=auth]
filter = postfix[mode=extra]
action = %(action_blocklist_de)s
and in my copy of jail.conf, i.e. jail.local:

Code: Select all

action_blocklist_de  = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
                       %(action_)s
                       %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]

Look at "server" and "apikey" in /var/logfail2ban.log to control which e-mail address and akikey is used to send to blocklist.de. The address with the "blocklist_de_apikey" should be visible on your server entry at the blocklist site.
User avatar
Aryfir
Posts: 21
Joined: 04 Sep 2020 13:52

Re: Limit login to localhost

Post by Aryfir »

Thankyou pdwalker,

I'm thinking like conventional mail server, Postfix SMTP server uses Dovecot SASL, and this Dovecot SASL Authentication to authenticate/validate POP/IMAP clients.

CMIIW is that because the op open port dovecot to the outside on his Efa Box, that is why he saw authentication failure report? Instead of me that open port 25 only...

Another assumption that the op use EFA Box as a SMTP server directly from mail client? so somebody trying to make his EFA Box as a SMTP relay?

Apologise for lots question, cause i'm banging my head trying to understand why there is auth failure report.....
ajmind
Posts: 53
Joined: 28 Mar 2017 15:26

Re: Limit login to localhost

Post by ajmind »

Aryfir wrote: 18 Aug 2022 14:06 I'm thinking like conventional mail server, Postfix SMTP server uses Dovecot SASL, and this Dovecot SASL Authentication to authenticate/validate POP/IMAP clients.

CMIIW is that because the op open port dovecot to the outside on his Efa Box, that is why he saw authentication failure report? Instead of me that open port 25 only...
No, my eFa box has also no ports open from the outside to accept POP/IMAP clients.

Read again:
pdwalker wrote: 18 Aug 2022 09:52 postfix doesn't do sasl authentication. Instead, it hands it off to another program: http://www.postfix.org/SASL_README.html ... asl_enable
...
This is why dovecot is being used, and why we are seeing the sasl authentication errors in the logs, especially if you allow sasl authentication.

This has nothing to do with imap or pop. Does that make sense to you now?
open ports are:
:25 SMTP
:587 SMTPS
User avatar
Aryfir
Posts: 21
Joined: 04 Sep 2020 13:52

Re: Limit login to localhost

Post by Aryfir »

Ooo Wow,

Thats answering me, that you open port 587 to the outside and somebody brute force trying to make your EFA Box as SMTP Relay and your secure log is generating error report. Or you open port 587 cause you use authentication level on your mailserver to communicate to your EFA Box for outbound.

Btw we are not talking pop/imap particulary here, i'm just curious about auth report that contains any chance of security leak.

In my opinion you don't need to open SMTP Port except Port 25 (and it is mentioning in the WIKI):


In my settings,

1. EFA Box > Mail Settings-Outbound Mail Relay-Current Allowed Address (IP Public range of all my mail server, or if it random you can put it one by one)

this thing only allow to relay outgoing from IP mentioning above

2. EFA Box > Mail Settings-Transport Setting (Is contain domain & hostname of my mailserver that EFA box used it as a destination server)


So there is no way, somebody from outside use my EFA Box as SMTP Relay and it help me to make this EFA Box efficient and simple.


Thanks to Mr. Shawn Iverson (Author/Developer of EFA Project) and others, and maybe he can explain of how to setup efa much better.
ajmind
Posts: 53
Joined: 28 Mar 2017 15:26

Re: Limit login to localhost

Post by ajmind »

Our eFa box sends all ougoing traffic not directly to the reciepent mta. We use a relay server were we authenticate over port 587. :D
User avatar
Aryfir
Posts: 21
Joined: 04 Sep 2020 13:52

Re: Limit login to localhost

Post by Aryfir »

Okay clear then,

If from beginning i knew that you are using outgoing smarthost in front of your EFA Box, i won't continue to argue on this topic. I know that Postfix do not have authentication framework so it use Dovecot SASL (or Cyrus SASL) but i was kept scratch my head, try to understand what this have to do with EFA.

If I on your position, i will use firewall rules on EFA to listening IP Addrees/hostname from your smarthost only...and you will sleep like a baby..... :D
Last edited by Aryfir on 19 Aug 2022 13:35, edited 1 time in total.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Limit login to localhost

Post by pdwalker »

ajmind wrote: 18 Aug 2022 13:19In my eFa.local jail:
[snip]
Thank you, that is very helpful. I previously knew nothing about fail2ban, so I previously did some voodoo and got it working well enough.

Now that I actually want to do something specific, I've had to spend the last couple of days reading up on the software, how it works and how to actually configure it.

Your configuration now makes sense and will save me a few steps.

PS: I found another action target called "dummy" in my /etc/fail2ban/actions.d/dummy.conf which is useful for debugging. Very helpful.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Limit login to localhost

Post by pdwalker »

Aryfir wrote: 18 Aug 2022 14:06I'm thinking like conventional mail server, Postfix SMTP server uses Dovecot SASL, and this Dovecot SASL Authentication to authenticate/validate POP/IMAP clients.
It's also to authenticate encrypted smtp connections. No pop/imap required.
Aryfir wrote: 18 Aug 2022 14:06CMIIW is that because the op open port dovecot to the outside on his Efa Box, that is why he saw authentication failure report? Instead of me that open port 25 only...
No, encrypted smtp connections only require ports 25 and 587
Aryfir wrote: 18 Aug 2022 14:06Another assumption that the op use EFA Box as a SMTP server directly from mail client? so somebody trying to make his EFA Box as a SMTP relay?
Possibly. You could do this if you wanted, but that's normally not what you want to do.

Also, all SMTP servers will be tested constantly for open relaying, or common username/passwords for encrypted smtp sending. After all, if the spammers can find a server they can use, they will use it.[/quote]
Aryfir wrote: 18 Aug 2022 14:06Apologise for lots question, cause i'm banging my head trying to understand why there is auth failure report.....
Is it clear now?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Limit login to localhost

Post by pdwalker »

Aryfir wrote: 18 Aug 2022 16:01 Thats answering me, that you open port 587 to the outside and somebody brute force trying to make your EFA Box as SMTP Relay and your secure log is generating error report. Or you open port 587 cause you use authentication level on your mailserver to communicate to your EFA Box for outbound.

[snip]

In my opinion you don't need to open SMTP Port except Port 25 (and it is mentioning in the WIKI):
Port 587 is necessary for anonymous encryption between mailservers. Port 25 traffic is usually unencrypted. It is good to have port 587 for mailservers that want to encrypt the connection, otherwise 3rd parties can read the email traffic as it travel between mailservers.[/quote]
ajmind
Posts: 53
Joined: 28 Mar 2017 15:26

Re: Limit login to localhost

Post by ajmind »

pdwalker wrote: 19 Aug 2022 06:21
Port 587 is necessary for anonymous encryption between mailservers. Port 25 traffic is usually unencrypted. It is good to have port 587 for mailservers that want to encrypt the connection, otherwise 3rd parties can read the email traffic as it travel between mailservers.
[/quote]

This is not correct, anonymous TLS communication needs only port 25, nothing else. If you need authentification between mailservers you need port 587, but this is something different.

So Aryfir has right, you do not need any other port than port 25, except some involved process needs individual authentification. ;)
User avatar
Aryfir
Posts: 21
Joined: 04 Sep 2020 13:52

Re: Limit login to localhost

Post by Aryfir »

pdwalker wrote: 19 Aug 2022 06:21
Aryfir wrote: 18 Aug 2022 16:01 Thats answering me, that you open port 587 to the outside and somebody brute force trying to make your EFA Box as SMTP Relay and your secure log is generating error report. Or you open port 587 cause you use authentication level on your mailserver to communicate to your EFA Box for outbound.

[snip]

In my opinion you don't need to open SMTP Port except Port 25 (and it is mentioning in the WIKI):
Port 587 is necessary for anonymous encryption between mailservers. Port 25 traffic is usually unencrypted. It is good to have port 587 for mailservers that want to encrypt the connection, otherwise 3rd parties can read the email traffic as it travel between mailservers.
Where do you get this from?

mailserver to mailserver (MTA to MTA) or EFA to target MTA, connection happen via port 25 only, whether it use plain text (no encryption) or TLS Cipher.

EFA suppport TLS 1.2 and thats why you will see ESMTPS id (with S) on email header recipient when you sent email via EFA as a mail gateway.

We are not talking about user mail client problem here (as you throw some theory of SMTP/POP/IMAP), Submision Port, POP3 and IMAP is exclusively handle by mailserver (not EFA Box)), ajmind problem here is on his EFA box only (because he saw attack on port 587) and not between his efa box and his mailserver or between his MTA and MUA (user mail client)

@ajmind:

Correct,

You don't even need to open port 587 on your side (EFA Box), because you use that smarhost as a relay MTA where the connection occurs on port 25 also. If your smarthost use specific port other than 25 thats another story......
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Limit login to localhost

Post by pdwalker »

Maybe I didn't state it correctly as my knowledge is not perfect.

Ports 25, 465 and 587 are all use for SMTP transmission which may or may not be encrypted. The rest is just details.

Modern mail servers prefer encrypted connections. Old mail servers are happy to use unencrypted.

Many ISPs block port 25 traffic, but allow 587. A mail server should allow both.

If your mail server offers smtpauth, then you will get driveby "hack" attempts on ports 25 and 587. Blocking 587 will not stop the problem.
ajmind
Posts: 53
Joined: 28 Mar 2017 15:26

Re: Limit login to localhost

Post by ajmind »

pdwalker wrote: 22 Aug 2022 06:50 ...
Modern mail servers prefer encrypted connections. Old mail servers are happy to use unencrypted.

Many ISPs block port 25 traffic, but allow 587. A mail server should allow both.
I would disagree here again. Port 25 could not be blocked in any case as all standard mailservers will contact this port. (If you own the mx record you have to take your e-mails on port 25 from other mailservers.)

Port 587 is only applicable when smtp connections should be authenticated and this is typically only a client connection.

Between mailservers only port 25 is applicable, except someone is creating some special use cases, like me. I use another mailserver as a smarthost to send e-mails out, and my mailserver could relay the e-mails only with an authenticated connection on port 587, (like a client).
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Limit login to localhost

Post by pdwalker »

you are free to do what you wish with your own mailserver.
Post Reply