Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Need some informations about mail server attacks

Posted on 2013-06-16
10
Medium Priority
?
1,003 Views
Last Modified: 2013-11-16
One of my customer mail server is actually under attack.  I don't have tons of knowledge about any kind of attack, but i've few questions:

1. All the log files show 'Invalid Username or Password', but the emails that they are trying to use to login are not fake email... they do really exist on our server. Is there a security problem or it's just too easy to get the email address from a server and it's not possible to prevent it?

2. What's the best way to prevent brute force attack on a mail server?


They are using an old version of MailEnable installed with Plesk.  I've seen no such option as "Ban IP after X Invalid username or password".
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 15

Assisted Solution

by:Ian Meredith
Ian Meredith earned 200 total points
ID: 39252116
1. It isn't too hard to get email addresses for this type of thing.  They can be 'farmed' from various sources.
A good chance the email addresses were obtained in other way than some sneak attack on your mail server.

2.  Get hosted email filtering, that way you can lock down your firewall to only accept incoming traffic on port 25 (SMTP) from the service providers ip range.  No more brute force attacks.

Cheers
0
 
LVL 10

Author Comment

by:Christian de Bellefeuille
ID: 39252821
Can you explain a bit more about #2?   Any service provider doing "Email Filtering"?

Do i have to setup all the mailbox on this kind of service?  Do i have to change the MX record to point to this service?  etc...
0
 
LVL 98

Assisted Solution

by:John Hurst
John Hurst earned 200 total points
ID: 39272090
Also take a look at EMET security for your server. This a genuine Microsoft product designed for Servers and Workstation and the new Version 4 has Certificate Pinning added on. I have it running on my Windows 8 workstation successfully, but I have not yet put in on a Server (my clients have outsourced hosted email).

Go here and read up on it.

http://blogs.technet.com/b/srd/archive/2013/06/17/emet-4-0-now-available-for-download.aspx

.... Thinkpads_User
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
LVL 65

Assisted Solution

by:btan
btan earned 1600 total points
ID: 39273502
Check this on reacting to the brute force on mail accounts - primarily using iptable to mitigate for the time being. But do also encourage complex password and effect account lockout (though it can be inconvenient to user). Also the next part is to harden the server and consider DKIM and SPam protection
http://serverkb.co.uk/wiki/Mail#Brute_force_on_mail_accounts

There are more security capability listed below but I do suspect you need upgrade
http://www.mailenable.com/features/anti-spam.asp

IP Address Whitelisting
Abuse protection from dictionary attacks
DKIM
Abuse Policy
Failed Auth Account Lockout

other ref - MailEnable Lockdown Utility
http://www.mailenable.com/security/lockdown.asp
0
 
LVL 10

Author Comment

by:Christian de Bellefeuille
ID: 39273542
Do you know if there's any method to use IP table files with a Windows Server 2008?  Because i've found some web sites listing every IP ranges from China, Roumania, Ukraine, Russia, etc...  but i've not found any method to import these rules.  I've found some method using netsh advfirewall for Windows Server 2008.  If i can't find any tool to do it, i'll script it.

I also thought about buying Mail Enable... at least to get the latest version with all the fixes.  There might be a ton of vulnerabilities in the version that my customer use.  We will probably do that.

Thanks a lot for your input breadtan

@Thinkpads_user: i'll also look at EMET.
0
 
LVL 65

Accepted Solution

by:
btan earned 1600 total points
ID: 39273990
There is one called WIPFW @ http://wipfw.sourceforge.net/ that run on Windows 2000, XP, 2003, Vista, Windows7, 2008,2008 R2. But it is is unable to change packets content, so it is impossible to redirect packets.

Actually if there is no physical FW fronting server at the perimeter then I will resort to the host based prevention s/w (HIPS) installed in the server for holistic protection controls. if the latter is also not available, i see more to leverage the inherent windows FW in the OS to do it.  HIPS can include symantec SEP or Mcafee endpoint protection etc.
But that would be quite a hassle for short term since you already seeing attacks, but long term it will be worth exploring into investing it.

Coming back to Windows FW, there is MMC snap-in as well and of course netsh advfirewall is also CLI equ. There are also other scripts in the below links

MMC Snap-in
http://technet.microsoft.com/en-us/library/ff428136.aspx
http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/configure-Windows-Server-2008-advanced-firewall-MMC-snap-in.html

Resource - Using Windows Firewall with Advanced Security
(include best practice, COMAPI, scription API and VB scripts sample)
http://msdn.microsoft.com/en-us/library/aa366418(v=vs.85).aspx
0
 
LVL 10

Author Comment

by:Christian de Bellefeuille
ID: 39278428
I've checked with the host (1&1) and there's an hardware firewall that i actually use, but there's a maximum of 25 rules that i can setup in it.  So i can't fill it up with the iptable content to ban these countries.

I'm not sure to understand for wipfw when you say it's impossible to redirect packets.   It block them, but doesn't forward them to a dummy server where the attacker that could let him think that he is actually hacking something?

WIPFW seems like something i'll like.  I'll install it locally to do some tests.

Is there any advandtage to use it instead of Windows FW?   The one i see are: It seems to be easier to script with WIPFW, and it's probably safer because the potential risk of an exploit found for Windows FW is higher than a 3rd party.

It still doesn't take 100% iptable file but it would be really easy to do it with just few lines of code.
0
 
LVL 65

Expert Comment

by:btan
ID: 39280059
probably in the past Windows w/o advfirewall wipfw may surpass but actually I see it more of user being familiar with ipfw and wanted something close in Windows. It does has flexibility in rules and to extedn of having dynamic rules in the fly to allow packet through. Its config is also in a wipfw.conf (if I am not wrong) that consolidate all gist for the ipfw preference in sharing ease to other machine etc.

Understand the Windows FW prior to Vista is limiting and will not filter egress traffic and has poor logging. It would have changed but WIPFW is also in constant check and upgrade.

As for the redirection, I believe is it cannot change anything in the packet hence destination IP address probably cannot be re-routed esle - it is still a due diligence type drop and allow
0
 
LVL 10

Author Comment

by:Christian de Bellefeuille
ID: 39281102
Well, i think i have enough informations to help me to cover some security risk.

Buying mail enable standard, not the free edition
Doing some tests with WIPFW, and write a small program to add rules on the fly to avoid attacks from reaching the servers

Thanks a lot for the help you have provided!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question