Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Need some informations about mail server attacks

Posted on 2013-06-16
10
985 Views
Last Modified: 2013-11-16
One of my customer mail server is actually under attack.  I don't have tons of knowledge about any kind of attack, but i've few questions:

1. All the log files show 'Invalid Username or Password', but the emails that they are trying to use to login are not fake email... they do really exist on our server. Is there a security problem or it's just too easy to get the email address from a server and it's not possible to prevent it?

2. What's the best way to prevent brute force attack on a mail server?


They are using an old version of MailEnable installed with Plesk.  I've seen no such option as "Ban IP after X Invalid username or password".
0
Comment
Question by:cdebel
10 Comments
 
LVL 15

Assisted Solution

by:Ian Meredith
Ian Meredith earned 50 total points
ID: 39252116
1. It isn't too hard to get email addresses for this type of thing.  They can be 'farmed' from various sources.
A good chance the email addresses were obtained in other way than some sneak attack on your mail server.

2.  Get hosted email filtering, that way you can lock down your firewall to only accept incoming traffic on port 25 (SMTP) from the service providers ip range.  No more brute force attacks.

Cheers
0
 
LVL 10

Author Comment

by:cdebel
ID: 39252821
Can you explain a bit more about #2?   Any service provider doing "Email Filtering"?

Do i have to setup all the mailbox on this kind of service?  Do i have to change the MX record to point to this service?  etc...
0
 
LVL 93

Assisted Solution

by:John Hurst
John Hurst earned 50 total points
ID: 39272090
Also take a look at EMET security for your server. This a genuine Microsoft product designed for Servers and Workstation and the new Version 4 has Certificate Pinning added on. I have it running on my Windows 8 workstation successfully, but I have not yet put in on a Server (my clients have outsourced hosted email).

Go here and read up on it.

http://blogs.technet.com/b/srd/archive/2013/06/17/emet-4-0-now-available-for-download.aspx

.... Thinkpads_User
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 63

Assisted Solution

by:btan
btan earned 400 total points
ID: 39273502
Check this on reacting to the brute force on mail accounts - primarily using iptable to mitigate for the time being. But do also encourage complex password and effect account lockout (though it can be inconvenient to user). Also the next part is to harden the server and consider DKIM and SPam protection
http://serverkb.co.uk/wiki/Mail#Brute_force_on_mail_accounts

There are more security capability listed below but I do suspect you need upgrade
http://www.mailenable.com/features/anti-spam.asp

IP Address Whitelisting
Abuse protection from dictionary attacks
DKIM
Abuse Policy
Failed Auth Account Lockout

other ref - MailEnable Lockdown Utility
http://www.mailenable.com/security/lockdown.asp
0
 
LVL 10

Author Comment

by:cdebel
ID: 39273542
Do you know if there's any method to use IP table files with a Windows Server 2008?  Because i've found some web sites listing every IP ranges from China, Roumania, Ukraine, Russia, etc...  but i've not found any method to import these rules.  I've found some method using netsh advfirewall for Windows Server 2008.  If i can't find any tool to do it, i'll script it.

I also thought about buying Mail Enable... at least to get the latest version with all the fixes.  There might be a ton of vulnerabilities in the version that my customer use.  We will probably do that.

Thanks a lot for your input breadtan

@Thinkpads_user: i'll also look at EMET.
0
 
LVL 63

Accepted Solution

by:
btan earned 400 total points
ID: 39273990
There is one called WIPFW @ http://wipfw.sourceforge.net/ that run on Windows 2000, XP, 2003, Vista, Windows7, 2008,2008 R2. But it is is unable to change packets content, so it is impossible to redirect packets.

Actually if there is no physical FW fronting server at the perimeter then I will resort to the host based prevention s/w (HIPS) installed in the server for holistic protection controls. if the latter is also not available, i see more to leverage the inherent windows FW in the OS to do it.  HIPS can include symantec SEP or Mcafee endpoint protection etc.
But that would be quite a hassle for short term since you already seeing attacks, but long term it will be worth exploring into investing it.

Coming back to Windows FW, there is MMC snap-in as well and of course netsh advfirewall is also CLI equ. There are also other scripts in the below links

MMC Snap-in
http://technet.microsoft.com/en-us/library/ff428136.aspx
http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/configure-Windows-Server-2008-advanced-firewall-MMC-snap-in.html

Resource - Using Windows Firewall with Advanced Security
(include best practice, COMAPI, scription API and VB scripts sample)
http://msdn.microsoft.com/en-us/library/aa366418(v=vs.85).aspx
0
 
LVL 10

Author Comment

by:cdebel
ID: 39278428
I've checked with the host (1&1) and there's an hardware firewall that i actually use, but there's a maximum of 25 rules that i can setup in it.  So i can't fill it up with the iptable content to ban these countries.

I'm not sure to understand for wipfw when you say it's impossible to redirect packets.   It block them, but doesn't forward them to a dummy server where the attacker that could let him think that he is actually hacking something?

WIPFW seems like something i'll like.  I'll install it locally to do some tests.

Is there any advandtage to use it instead of Windows FW?   The one i see are: It seems to be easier to script with WIPFW, and it's probably safer because the potential risk of an exploit found for Windows FW is higher than a 3rd party.

It still doesn't take 100% iptable file but it would be really easy to do it with just few lines of code.
0
 
LVL 63

Expert Comment

by:btan
ID: 39280059
probably in the past Windows w/o advfirewall wipfw may surpass but actually I see it more of user being familiar with ipfw and wanted something close in Windows. It does has flexibility in rules and to extedn of having dynamic rules in the fly to allow packet through. Its config is also in a wipfw.conf (if I am not wrong) that consolidate all gist for the ipfw preference in sharing ease to other machine etc.

Understand the Windows FW prior to Vista is limiting and will not filter egress traffic and has poor logging. It would have changed but WIPFW is also in constant check and upgrade.

As for the redirection, I believe is it cannot change anything in the packet hence destination IP address probably cannot be re-routed esle - it is still a due diligence type drop and allow
0
 
LVL 10

Author Comment

by:cdebel
ID: 39281102
Well, i think i have enough informations to help me to cover some security risk.

Buying mail enable standard, not the free edition
Doing some tests with WIPFW, and write a small program to add rules on the fly to avoid attacks from reaching the servers

Thanks a lot for the help you have provided!
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question