When I changed my firewall rule policy, part the reason for doing it was because I was getting tired of seeing dovecot:auth failures in the logs. People around the world were brute forcing my mail server, and the rules were 100 lines long of just blocking. I had thought that they were coming from people hitting port 993 (IMAPS), and to a point there were. You can see below where it is dropping port 993 access attempts.
|
1 |
Feb 3 17:30:07 village kernel: DROP IN=eth0 OUT= MAC=f2:3c:91:93:5e:9c:84:78:ac:57:aa:c1:08:00 SRC=164.76.75.168 DST=$my_server LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=28022 DF PROTO=TCP SPT=60685 DPT=993 WINDOW=14600 RES=0x00 SYN URGP=0 |
A few days later, logcheck’s emails had the line return:
|
1 2 |
Feb 2 22:27:01 village auth: pam_unix(dovecot:auth): check pass; user unknown Feb 2 22:27:01 village auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=pos rhost=213.190.177.181 |
What the heck, the rules are written to deny anything not allowed, and I only allow port 22, 993 and 587 on networks I use; school, work, home, and cellular tether / data pacakge. However the rhost above is not in that list.
Googling for what’s going on, other people are seeing the same thing on occasion. Errors from Dovecot, about failed log in attempts, with IMAP, IMAPS, POP, and POP3 blocked. No one explained what what happening. I would make changes to the rules and I’d still see things showing up in the tail -f /var/log/auth.log window.
I caught one of the ip addresses as it hit the log, changed windows and did a netstat -tpan and grepped the offending ip address. What I found was it was coming in on port 25, not 993.
|
1 2 |
tcp 0 0 66.228.43.117:25 109.203.102.59:53405 ESTABLISHED 15210/smtpd tcp 0 0 66.228.43.117:25 109.203.102.59:53405 ESTABLISHED 15210/smtpd |
Well, that gave me something new to Google. Searching Dovecot auth failure port 25, brought back SASL. Which is a way to allow users to access the mail server when on the road / away from the office, to send mail. The user can authenticate to the server over port 25 and then send mail.
So it looks like my next step is to figure out how to disable SASL or install and configure Fail2Ban to cover port 25. Here is what a packet capture of that looks like for user auth on port 25.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
09:01:19.758136 IP (tos 0x0, ttl 119, id 29127, offset 0, flags [DF], proto TCP (6), length 48) 109.203.102.59.52758 > $my_server.smtp: Flags [S], cksum 0x9d81 (correct), seq 3655785255, win 8192, options [mss 1460,nop,nop,sackOK], length 0 0x0000: 4500 0030 71c7 4000 7706 4fa1 6dcb 663b E..0q.@.w.O.m.f; 0x0010: 42e4 2b75 ce16 0019 d9e6 db27 0000 0000 B.+u.......'.... 0x0020: 7002 2000 9d81 0000 0204 05b4 0101 0402 p............... 09:01:19.758211 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 48) $my_server.smtp > 109.203.102.59.52758: Flags [S.], cksum 0x4282 (incorrect -> 0x3544), seq 2190185360, ack 3655785256, win 29200, options [mss 1460,nop,nop,sackOK], length 0 0x0000: 4500 0030 0000 4000 4006 f868 42e4 2b75 E..0..@.@..hB.+u 0x0010: 6dcb 663b 0019 ce16 828b 9390 d9e6 db28 m.f;...........( 0x0020: 7012 7210 4282 0000 0204 05b4 0101 0402 p.r.B........... 09:01:19.890282 IP (tos 0x0, ttl 119, id 29301, offset 0, flags [DF], proto TCP (6), length 40) 109.203.102.59.52758 > $my_server.smtp: Flags [.], cksum 0xd927 (correct), seq 3655785256, ack 2190185361, win 64240, length 0 0x0000: 4500 0028 7275 4000 7706 4efb 6dcb 663b E..(ru@.w.N.m.f; 0x0010: 42e4 2b75 ce16 0019 d9e6 db28 828b 9391 B.+u.......(.... 0x0020: 5010 faf0 d927 0000 0000 0000 0000 P....'........ 09:01:19.946545 IP (tos 0x0, ttl 64, id 38796, offset 0, flags [DF], proto TCP (6), length 91) $my_server.smtp > 109.203.102.59.52758: Flags [P.], cksum 0x42ad (incorrect -> 0x634f), seq 2190185361:2190185412, ack 3655785256, win 29200, length 51 0x0000: 4500 005b 978c 4000 4006 60b1 42e4 2b75 E..[..@.@.`.B.+u 0x0010: 6dcb 663b 0019 ce16 828b 9391 d9e6 db28 m.f;...........( 0x0020: 5018 7210 42ad 0000 3232 3020 7669 6c6c P.r.B...220.$my_ 0x0030: 6167 652e 7261 7474 6973 2e6e 6574 2045 server.E 0x0040: 534d 5450 2050 6f73 7466 6978 2028 4465 SMTP.Postfix.(De 0x0050: 6269 616e 2f47 4e55 290d 0a bian/GNU).. 09:01:20.057505 IP (tos 0x0, ttl 119, id 29600, offset 0, flags [DF], proto TCP (6), length 51) 109.203.102.59.52758 > $my_server.smtp: Flags [P.], cksum 0x37b5 (correct), seq 3655785256:3655785267, ack 2190185412, win 64189, length 11 0x0000: 4500 0033 73a0 4000 7706 4dc5 6dcb 663b E..3s.@.w.M.m.f; 0x0010: 42e4 2b75 ce16 0019 d9e6 db28 828b 93c4 B.+u.......(.... 0x0020: 5018 fabd 37b5 0000 4548 4c4f 2055 7365 P...7...EHLO.Use 0x0030: 720d 0a r.. 09:01:20.057582 IP (tos 0x0, ttl 64, id 38797, offset 0, flags [DF], proto TCP (6), length 40) $my_server.smtp > 109.203.102.59.52758: Flags [.], cksum 0x427a (incorrect -> 0x61ca), seq 2190185412, ack 3655785267, win 29200, length 0 0x0000: 4500 0028 978d 4000 4006 60e3 42e4 2b75 E..(..@.@.`.B.+u 0x0010: 6dcb 663b 0019 ce16 828b 93c4 d9e6 db33 m.f;...........3 0x0020: 5010 7210 427a 0000 P.r.Bz.. |