?
Solved

Need some informations about mail server attacks

Posted on 2013-06-16
10
Medium Priority
?
1,007 Views
Last Modified: 2013-11-16
One of my customer mail server is actually under attack.  I don't have tons of knowledge about any kind of attack, but i've few questions:

1. All the log files show 'Invalid Username or Password', but the emails that they are trying to use to login are not fake email... they do really exist on our server. Is there a security problem or it's just too easy to get the email address from a server and it's not possible to prevent it?

2. What's the best way to prevent brute force attack on a mail server?


They are using an old version of MailEnable installed with Plesk.  I've seen no such option as "Ban IP after X Invalid username or password".
0
Comment
9 Comments
 
LVL 15

Assisted Solution

by:Ian Meredith
Ian Meredith earned 200 total points
ID: 39252116
1. It isn't too hard to get email addresses for this type of thing.  They can be 'farmed' from various sources.
A good chance the email addresses were obtained in other way than some sneak attack on your mail server.

2.  Get hosted email filtering, that way you can lock down your firewall to only accept incoming traffic on port 25 (SMTP) from the service providers ip range.  No more brute force attacks.

Cheers
0
 
LVL 10

Author Comment

by:Christian de Bellefeuille
ID: 39252821
Can you explain a bit more about #2?   Any service provider doing "Email Filtering"?

Do i have to setup all the mailbox on this kind of service?  Do i have to change the MX record to point to this service?  etc...
0
 
LVL 99

Assisted Solution

by:John Hurst
John Hurst earned 200 total points
ID: 39272090
Also take a look at EMET security for your server. This a genuine Microsoft product designed for Servers and Workstation and the new Version 4 has Certificate Pinning added on. I have it running on my Windows 8 workstation successfully, but I have not yet put in on a Server (my clients have outsourced hosted email).

Go here and read up on it.

http://blogs.technet.com/b/srd/archive/2013/06/17/emet-4-0-now-available-for-download.aspx

.... Thinkpads_User
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 65

Assisted Solution

by:btan
btan earned 1600 total points
ID: 39273502
Check this on reacting to the brute force on mail accounts - primarily using iptable to mitigate for the time being. But do also encourage complex password and effect account lockout (though it can be inconvenient to user). Also the next part is to harden the server and consider DKIM and SPam protection
http://serverkb.co.uk/wiki/Mail#Brute_force_on_mail_accounts

There are more security capability listed below but I do suspect you need upgrade
http://www.mailenable.com/features/anti-spam.asp

IP Address Whitelisting
Abuse protection from dictionary attacks
DKIM
Abuse Policy
Failed Auth Account Lockout

other ref - MailEnable Lockdown Utility
http://www.mailenable.com/security/lockdown.asp
0
 
LVL 10

Author Comment

by:Christian de Bellefeuille
ID: 39273542
Do you know if there's any method to use IP table files with a Windows Server 2008?  Because i've found some web sites listing every IP ranges from China, Roumania, Ukraine, Russia, etc...  but i've not found any method to import these rules.  I've found some method using netsh advfirewall for Windows Server 2008.  If i can't find any tool to do it, i'll script it.

I also thought about buying Mail Enable... at least to get the latest version with all the fixes.  There might be a ton of vulnerabilities in the version that my customer use.  We will probably do that.

Thanks a lot for your input breadtan

@Thinkpads_user: i'll also look at EMET.
0
 
LVL 65

Accepted Solution

by:
btan earned 1600 total points
ID: 39273990
There is one called WIPFW @ http://wipfw.sourceforge.net/ that run on Windows 2000, XP, 2003, Vista, Windows7, 2008,2008 R2. But it is is unable to change packets content, so it is impossible to redirect packets.

Actually if there is no physical FW fronting server at the perimeter then I will resort to the host based prevention s/w (HIPS) installed in the server for holistic protection controls. if the latter is also not available, i see more to leverage the inherent windows FW in the OS to do it.  HIPS can include symantec SEP or Mcafee endpoint protection etc.
But that would be quite a hassle for short term since you already seeing attacks, but long term it will be worth exploring into investing it.

Coming back to Windows FW, there is MMC snap-in as well and of course netsh advfirewall is also CLI equ. There are also other scripts in the below links

MMC Snap-in
http://technet.microsoft.com/en-us/library/ff428136.aspx
http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/configure-Windows-Server-2008-advanced-firewall-MMC-snap-in.html

Resource - Using Windows Firewall with Advanced Security
(include best practice, COMAPI, scription API and VB scripts sample)
http://msdn.microsoft.com/en-us/library/aa366418(v=vs.85).aspx
0
 
LVL 10

Author Comment

by:Christian de Bellefeuille
ID: 39278428
I've checked with the host (1&1) and there's an hardware firewall that i actually use, but there's a maximum of 25 rules that i can setup in it.  So i can't fill it up with the iptable content to ban these countries.

I'm not sure to understand for wipfw when you say it's impossible to redirect packets.   It block them, but doesn't forward them to a dummy server where the attacker that could let him think that he is actually hacking something?

WIPFW seems like something i'll like.  I'll install it locally to do some tests.

Is there any advandtage to use it instead of Windows FW?   The one i see are: It seems to be easier to script with WIPFW, and it's probably safer because the potential risk of an exploit found for Windows FW is higher than a 3rd party.

It still doesn't take 100% iptable file but it would be really easy to do it with just few lines of code.
0
 
LVL 65

Expert Comment

by:btan
ID: 39280059
probably in the past Windows w/o advfirewall wipfw may surpass but actually I see it more of user being familiar with ipfw and wanted something close in Windows. It does has flexibility in rules and to extedn of having dynamic rules in the fly to allow packet through. Its config is also in a wipfw.conf (if I am not wrong) that consolidate all gist for the ipfw preference in sharing ease to other machine etc.

Understand the Windows FW prior to Vista is limiting and will not filter egress traffic and has poor logging. It would have changed but WIPFW is also in constant check and upgrade.

As for the redirection, I believe is it cannot change anything in the packet hence destination IP address probably cannot be re-routed esle - it is still a due diligence type drop and allow
0
 
LVL 10

Author Comment

by:Christian de Bellefeuille
ID: 39281102
Well, i think i have enough informations to help me to cover some security risk.

Buying mail enable standard, not the free edition
Doing some tests with WIPFW, and write a small program to add rules on the fly to avoid attacks from reaching the servers

Thanks a lot for the help you have provided!
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question