1

My email server has been under constant brute force attack for a while now, without success. Recently, however, these bots or automated scripts have found a way to "use my own static IP" in an attempt to break into the email server.

I am running fail2ban which is now "banning my own static IP". My server is running Debian 10 with Postfix, Dovecot, MySql etc.

I see the attempts being made but I am not sure how to fight back. Can you suggest some steps that I might take?

Here is a sample of the hundreds of attempts made daily:

3   git.example.com[192.0.2.7]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
3   git.example.com[192.0.2.7]: SASL PLAIN authentication failed:
3   cloud.example.com[192.0.2.7]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
3   cloud.example.com[192.0.2.7]: SASL PLAIN authentication failed:
2   ltf.example.com[192.0.2.7]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
2   ltf.example.com[192.0.2.7]: SASL PLAIN authentication failed:
2   unknown[192.0.2.7]: SASL PLAIN authentication failed:
2   unknown[192.0.2.7]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
2   hostname www.example.com does not resolve to address 192.0.2.7: Name or service not known
6   mail.example.com[192.0.2.7]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
schroeder
  • 123,438
  • 55
  • 284
  • 319
Glen
  • 11
  • 1
  • 2
    This does not make sense. A bot cannot "steal your IP" and use it to attack you. – ThoriumBR Dec 16 '20 at 14:12
  • I agree with @ThoriumBR. I think there is something else at play here. If an attacker is connecting to your server from some IP, but spoofing your static IP as the source address, he would be unable to complete a TCP handshake, much less attempt to authenticate. Are you sure these attempts are not coming from your static IP? – mti2935 Dec 16 '20 at 14:25
  • How do you know that is the attacker's IP? This could be the domain they are trying to use in the EHLO message. In which case they're trying it just in case your server doesn't check whether it's their actual domain. – user253751 Dec 16 '20 at 14:42
  • I think is missing some information, as the other users mention, you can not steel the static IP, are you sure that your server is not compromise? may be you have the bots all ready on the box running and that is why you see your IP on them, because they are all ready installed there. – camp0 Dec 16 '20 at 15:01
  • Are you running webmail? Login requests sent to a webmail server will show up in IMAP logs as localhost or local IP. – gowenfawr Dec 16 '20 at 16:36

1 Answers1

0

Simplest solution for blocking spoofed IP addresses in this situation is to get your ISP to drop packets to your IP address which purport to be from your IP address.

If they won't/can't, you can buy DDoS mitigation services from various providers.

Failing that, why don't you drop anything at the interface on your server that has a spoofed address.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • Thanks, Rory, for your suggestions. I will immediately start my research into (a) Interface solution and (b) the DDos solution. (I do not know how to go about either task right now). Also, I will contact my ISP as a last resort. And, as soon as I accomplish some measure of success, I'll make sure that the information is reflected in this post. – Glen Dec 16 '20 at 13:45
  • regarding interfaces, you know the addresses you use on the inside should not be seen coming in to your external interface so you can block accordingly – Rory Alsop Dec 16 '20 at 13:46
  • Do IPSs that do *not* drop packets from external with an internal source ip even exist (in this century)? Or do they even begin to exist *again* because they bother less for IPv4 than IPv6? – Hagen von Eitzen Dec 16 '20 at 17:08