Solved

Need some informations about mail server attacks

Posted on 2013-06-16
10
983 Views
Last Modified: 2013-11-16
One of my customer mail server is actually under attack.  I don't have tons of knowledge about any kind of attack, but i've few questions:

1. All the log files show 'Invalid Username or Password', but the emails that they are trying to use to login are not fake email... they do really exist on our server. Is there a security problem or it's just too easy to get the email address from a server and it's not possible to prevent it?

2. What's the best way to prevent brute force attack on a mail server?


They are using an old version of MailEnable installed with Plesk.  I've seen no such option as "Ban IP after X Invalid username or password".
0
Comment
Question by:cdebel
10 Comments
 
LVL 15

Assisted Solution

by:Ian Meredith
Ian Meredith earned 50 total points
ID: 39252116
1. It isn't too hard to get email addresses for this type of thing.  They can be 'farmed' from various sources.
A good chance the email addresses were obtained in other way than some sneak attack on your mail server.

2.  Get hosted email filtering, that way you can lock down your firewall to only accept incoming traffic on port 25 (SMTP) from the service providers ip range.  No more brute force attacks.

Cheers
0
 
LVL 10

Author Comment

by:cdebel
ID: 39252821
Can you explain a bit more about #2?   Any service provider doing "Email Filtering"?

Do i have to setup all the mailbox on this kind of service?  Do i have to change the MX record to point to this service?  etc...
0
 
LVL 92

Assisted Solution

by:John Hurst
John Hurst earned 50 total points
ID: 39272090
Also take a look at EMET security for your server. This a genuine Microsoft product designed for Servers and Workstation and the new Version 4 has Certificate Pinning added on. I have it running on my Windows 8 workstation successfully, but I have not yet put in on a Server (my clients have outsourced hosted email).

Go here and read up on it.

http://blogs.technet.com/b/srd/archive/2013/06/17/emet-4-0-now-available-for-download.aspx

.... Thinkpads_User
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 62

Assisted Solution

by:btan
btan earned 400 total points
ID: 39273502
Check this on reacting to the brute force on mail accounts - primarily using iptable to mitigate for the time being. But do also encourage complex password and effect account lockout (though it can be inconvenient to user). Also the next part is to harden the server and consider DKIM and SPam protection
http://serverkb.co.uk/wiki/Mail#Brute_force_on_mail_accounts

There are more security capability listed below but I do suspect you need upgrade
http://www.mailenable.com/features/anti-spam.asp

IP Address Whitelisting
Abuse protection from dictionary attacks
DKIM
Abuse Policy
Failed Auth Account Lockout

other ref - MailEnable Lockdown Utility
http://www.mailenable.com/security/lockdown.asp
0
 
LVL 10

Author Comment

by:cdebel
ID: 39273542
Do you know if there's any method to use IP table files with a Windows Server 2008?  Because i've found some web sites listing every IP ranges from China, Roumania, Ukraine, Russia, etc...  but i've not found any method to import these rules.  I've found some method using netsh advfirewall for Windows Server 2008.  If i can't find any tool to do it, i'll script it.

I also thought about buying Mail Enable... at least to get the latest version with all the fixes.  There might be a ton of vulnerabilities in the version that my customer use.  We will probably do that.

Thanks a lot for your input breadtan

@Thinkpads_user: i'll also look at EMET.
0
 
LVL 62

Accepted Solution

by:
btan earned 400 total points
ID: 39273990
There is one called WIPFW @ http://wipfw.sourceforge.net/ that run on Windows 2000, XP, 2003, Vista, Windows7, 2008,2008 R2. But it is is unable to change packets content, so it is impossible to redirect packets.

Actually if there is no physical FW fronting server at the perimeter then I will resort to the host based prevention s/w (HIPS) installed in the server for holistic protection controls. if the latter is also not available, i see more to leverage the inherent windows FW in the OS to do it.  HIPS can include symantec SEP or Mcafee endpoint protection etc.
But that would be quite a hassle for short term since you already seeing attacks, but long term it will be worth exploring into investing it.

Coming back to Windows FW, there is MMC snap-in as well and of course netsh advfirewall is also CLI equ. There are also other scripts in the below links

MMC Snap-in
http://technet.microsoft.com/en-us/library/ff428136.aspx
http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/configure-Windows-Server-2008-advanced-firewall-MMC-snap-in.html

Resource - Using Windows Firewall with Advanced Security
(include best practice, COMAPI, scription API and VB scripts sample)
http://msdn.microsoft.com/en-us/library/aa366418(v=vs.85).aspx
0
 
LVL 10

Author Comment

by:cdebel
ID: 39278428
I've checked with the host (1&1) and there's an hardware firewall that i actually use, but there's a maximum of 25 rules that i can setup in it.  So i can't fill it up with the iptable content to ban these countries.

I'm not sure to understand for wipfw when you say it's impossible to redirect packets.   It block them, but doesn't forward them to a dummy server where the attacker that could let him think that he is actually hacking something?

WIPFW seems like something i'll like.  I'll install it locally to do some tests.

Is there any advandtage to use it instead of Windows FW?   The one i see are: It seems to be easier to script with WIPFW, and it's probably safer because the potential risk of an exploit found for Windows FW is higher than a 3rd party.

It still doesn't take 100% iptable file but it would be really easy to do it with just few lines of code.
0
 
LVL 62

Expert Comment

by:btan
ID: 39280059
probably in the past Windows w/o advfirewall wipfw may surpass but actually I see it more of user being familiar with ipfw and wanted something close in Windows. It does has flexibility in rules and to extedn of having dynamic rules in the fly to allow packet through. Its config is also in a wipfw.conf (if I am not wrong) that consolidate all gist for the ipfw preference in sharing ease to other machine etc.

Understand the Windows FW prior to Vista is limiting and will not filter egress traffic and has poor logging. It would have changed but WIPFW is also in constant check and upgrade.

As for the redirection, I believe is it cannot change anything in the packet hence destination IP address probably cannot be re-routed esle - it is still a due diligence type drop and allow
0
 
LVL 10

Author Comment

by:cdebel
ID: 39281102
Well, i think i have enough informations to help me to cover some security risk.

Buying mail enable standard, not the free edition
Doing some tests with WIPFW, and write a small program to add rules on the fly to avoid attacks from reaching the servers

Thanks a lot for the help you have provided!
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html) provided 218 attendees with a step-by-step guide for identifying Acti…
The 21st century solution to antiquated pagers.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now