POP3 attack on server leads to table crash and DB restore

Started by aegersz, October 01, 2015, 05:20:00 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

aegersz

October 01, 2015, 05:20:00 PM
this is the second time that I have been attacked and plan some iptables approach.

but I wanted to run this past you as I saw a memory stack message from SMF (in the browse but may not be SMF)

I have since shutdown redundant tasks to free up memory as I only have 1 GB.

I just wondered if memory was the cause of my table crash.

what do you guys think ? can memory issues ultimately cause database corruption ?

any advice on POP3 attacks is welcome too.
The configuration of my Linux VPS (SMF 2.0 with 160+ mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

LiroyvH

#1
October 01, 2015, 06:03:40 PM
What kind of attacks? Details.

Memory issues can cause database corruption, sure. Especially if the mySQL process is killed off by the kernel ("OOM Killer"), for example.
1GB is tight.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

aegersz

#2
October 02, 2015, 01:26:45 AM
i have been shutting down redundant services and tightening up on my firewall.

i'm testing some anti-POP3-attack firewall rules out currently ... this may go quiet for a while.
The configuration of my Linux VPS (SMF 2.0 with 160+ mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

6TiME6

#3
October 04, 2015, 11:31:34 AM
You can limit the SYNs to your POP3 port with the iptables recent module to like 10 per minute per source IP. If that doesn't help, you can use fail2ban if what you're experiencing is a bruteforce attack (I assume it is, there are lots of them on plain POP3).

The most drastic option would be to disable plain POP3 and only use POP3S, if you have to use POP3 at all (IMAP anyone?).

aegersz

#4
October 04, 2015, 05:47:43 PM
I have been reconfiguring my firewall to stop this.

I also added a swap file and shut down redundant tasks to take the pressure off memory.

I am aware of fail2ban and run it for ssh.

thanks for your help ... I'm on it and now waiting for something I hope won't happen again.
I
The configuration of my Linux VPS (SMF 2.0 with 160+ mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

6TiME6

#5
October 06, 2015, 08:21:45 AM
Thanks for the update, that's good news. If you already use fail2ban for SSH, you can simply enable the jail for your Dovecot or whatever you use for POP3 in /etc/fail2ban/jail.conf (or enable it in /etc/fail2ban/jail.local which is the "new way" with more recent fail2ban versions). If you should still experience similar issues in the future, here are some iptables rules for you that would limit new connections to 10 per minute per source IP, which should mitigate the problem in addition to fail2ban.

Code Select
iptables -A INPUT -p tcp --dport 110 -m conntrack --ctstate NEW -m recent --set
iptables -A INPUT -p tcp --dport 110 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP

aegersz

#6
October 06, 2015, 04:48:58 PM
i took the following from https://www.thatsgeeky.com/2011/01/limiting-brute-force-attacks-with-iptables/ and implemented it. i feel it goes further than your example and it covers some additional port. but THANK YOU for suggesting another option for me:

Quote
:ATTACKED - [0:0]
:ATTK_CHECK - [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 21,22,110,143,993,995 -m recent --update --seconds 3600 --name BANNED --rsource -j DROP
-A INPUT -p tcp -m multiport --dports 21,22,110,143,993,995 -m state --state NEW -j ATTK_CHECK

#OTHER PRE-EXISTING RULES
#...

-A ATTACKED -m limit --limit 5/min -j LOG --log-prefix "IPTABLES (Rule ATTACKED): " --log-level 7
-A ATTACKED -m recent --set --name BANNED --rsource -j DROP
-A ATTK_CHECK -m recent --set --name ATTK –-rsource
-A ATTK_CHECK -m recent --update --seconds 600 --hitcount 16 --name ATTK --rsource -j ATTACKED
-A ATTK_CHECK -m recent --update --seconds 60 --hitcount 6 --name ATTK --rsource -j ATTACKED
-A ATTK_CHECK -j ACCEPT

i will leave fail2ban out for now to avoid banning machines that have been compromised because they may be ok in the furture.
The configuration of my Linux VPS (SMF 2.0 with 160+ mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

LiroyvH

#7
October 06, 2015, 05:58:14 PM
Quote
i will leave fail2ban out for now to avoid banning machines that have been compromised because they may be ok in the furture.

Then purge it later. I think fail2ban can also ban IP's for x amount of time...
Blocking brute-force attacks is really a rather good idea... Though stuff like fail2ban can present a security issue of its own, at least: on shared servers. Implementing something like it is usually absolutely recommended.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

青山 素子

#8
October 07, 2015, 11:18:48 AM
Quote from: CoreISP on October 06, 2015, 05:58:14 PM
I think fail2ban can also ban IP's for x amount of time...

It does. The default configuration is a time-limited ban.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.

aegersz

#9
October 10, 2015, 11:55:32 PM
will a mass mailout trigger unwanted banning with the iptables I set in play ?

I need to send about 5000 mail items.
The configuration of my Linux VPS (SMF 2.0 with 160+ mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

LiroyvH

#10
October 11, 2015, 05:15:48 PM
From a really quick glance: no it shouldn't, because it's looking at destination ports; not source.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

6TiME6

#11
October 15, 2015, 08:17:17 AM
Your iptables rules use the outdated "state" module, which has been replaced by "ctstate". Also the limits are a bit too strict imo if you use POP3 clients that frequently check for e-mails. Also it covers POP3S ports as well, where you shouldn't receive any bruteforce attacks to anyway. No matter which iptables ruleset you decide to use, you should also use fail2ban in addition, because botnets that consist of a larger number of infected hosts could still crash your mail server. The bans will expire fairly quickly, so you really don't have to worry about banning servers that could later get cleaned up. Most are HiChina IPs anyway and I don't think I've ever seen a legit mail from their network.

aegersz

#12
October 18, 2015, 01:32:13 PM
I will look into fail2ban. thank you.
The configuration of my Linux VPS (SMF 2.0 with 160+ mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

aegersz

#13
October 18, 2015, 05:58:17 PM Last Edit: October 18, 2015, 06:08:59 PM by aegersz
Quote from: 6TiME6 on October 15, 2015, 08:17:17 AM
Your iptables rules use the outdated "state" module, which has been replaced by "ctstate". Also the limits are a bit too strict imo if you use POP3 clients that frequently check for e-mails.

Also it covers POP3S ports as well, where you shouldn't receive any bruteforce attacks to anyway. No matter which iptables ruleset you decide to use, you should also use fail2ban in addition, because botnets that consist of a larger number of infected hosts could still crash your mail server.

The bans will expire fairly quickly, so you really don't have to worry about banning servers that could later get cleaned up. Most are HiChina IPs anyway and I don't think I've ever seen a legit mail from their network.

1. ... but can i leave my iptables the way they are for now if i seldom use mail ?

2. I did implement fail2ban for dovecot, as you suggested and config'ed straight from wiki.\

thanks for making me finally tighten things up even more. marking as solved until the next attack happens, which i expect to never know about it because everything functioned so well ;)
The configuration of my Linux VPS (SMF 2.0 with 160+ mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

aegersz

#14
December 17, 2015, 07:50:01 AM
in case anybody is interested in my Postfix tighten-up, i added the following to /etc/postfix/main.cf:

disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
     reject_non_fqdn_hostname,
     reject_invalid_hostname,
     permit
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
The configuration of my Linux VPS (SMF 2.0 with 160+ mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here
Print
Go Up Pages1
User actions
Advertisement: