Need some informations about mail server attacks
One of my customer mail server is actually under attack. I don't have tons of knowledge about any kind of attack, but i've few questions:
They are using an old version of MailEnable installed with Plesk. I've seen no such option as "Ban IP after X Invalid username or password".
1. All the log files show 'Invalid Username or Password', but the emails that they are trying to use to login are not fake email... they do really exist on our server. Is there a security problem or it's just too easy to get the email address from a server and it's not possible to prevent it?
2. What's the best way to prevent brute force attack on a mail server?
They are using an old version of MailEnable installed with Plesk. I've seen no such option as "Ban IP after X Invalid username or password".
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Do you know if there's any method to use IP table files with a Windows Server 2008? Because i've found some web sites listing every IP ranges from China, Roumania, Ukraine, Russia, etc... but i've not found any method to import these rules. I've found some method using netsh advfirewall for Windows Server 2008. If i can't find any tool to do it, i'll script it.
I also thought about buying Mail Enable... at least to get the latest version with all the fixes. There might be a ton of vulnerabilities in the version that my customer use. We will probably do that.
Thanks a lot for your input breadtan
@Thinkpads_user: i'll also look at EMET.
I also thought about buying Mail Enable... at least to get the latest version with all the fixes. There might be a ton of vulnerabilities in the version that my customer use. We will probably do that.
Thanks a lot for your input breadtan
@Thinkpads_user: i'll also look at EMET.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I've checked with the host (1&1) and there's an hardware firewall that i actually use, but there's a maximum of 25 rules that i can setup in it. So i can't fill it up with the iptable content to ban these countries.
I'm not sure to understand for wipfw when you say it's impossible to redirect packets. It block them, but doesn't forward them to a dummy server where the attacker that could let him think that he is actually hacking something?
WIPFW seems like something i'll like. I'll install it locally to do some tests.
Is there any advandtage to use it instead of Windows FW? The one i see are: It seems to be easier to script with WIPFW, and it's probably safer because the potential risk of an exploit found for Windows FW is higher than a 3rd party.
It still doesn't take 100% iptable file but it would be really easy to do it with just few lines of code.
I'm not sure to understand for wipfw when you say it's impossible to redirect packets. It block them, but doesn't forward them to a dummy server where the attacker that could let him think that he is actually hacking something?
WIPFW seems like something i'll like. I'll install it locally to do some tests.
Is there any advandtage to use it instead of Windows FW? The one i see are: It seems to be easier to script with WIPFW, and it's probably safer because the potential risk of an exploit found for Windows FW is higher than a 3rd party.
It still doesn't take 100% iptable file but it would be really easy to do it with just few lines of code.
probably in the past Windows w/o advfirewall wipfw may surpass but actually I see it more of user being familiar with ipfw and wanted something close in Windows. It does has flexibility in rules and to extedn of having dynamic rules in the fly to allow packet through. Its config is also in a wipfw.conf (if I am not wrong) that consolidate all gist for the ipfw preference in sharing ease to other machine etc.
Understand the Windows FW prior to Vista is limiting and will not filter egress traffic and has poor logging. It would have changed but WIPFW is also in constant check and upgrade.
As for the redirection, I believe is it cannot change anything in the packet hence destination IP address probably cannot be re-routed esle - it is still a due diligence type drop and allow
Understand the Windows FW prior to Vista is limiting and will not filter egress traffic and has poor logging. It would have changed but WIPFW is also in constant check and upgrade.
As for the redirection, I believe is it cannot change anything in the packet hence destination IP address probably cannot be re-routed esle - it is still a due diligence type drop and allow
Well, i think i have enough informations to help me to cover some security risk.
Thanks a lot for the help you have provided!
Buying mail enable standard, not the free edition
Doing some tests with WIPFW, and write a small program to add rules on the fly to avoid attacks from reaching the servers
Thanks a lot for the help you have provided!
ASKER
Do i have to setup all the mailbox on this kind of service? Do i have to change the MX record to point to this service? etc...