Tag Archives: Linux

Email Server Attack

Type: Brute Force
Protocol: POP3
OS: Linux 3.6.11+ armv6l
Platform: Pi Rev. B
Memory: 512M
Daemon: Dovecot 2.1.7-7
Backend Daemon: MySQL 5.5
Backend OS: Linux 2.6.32-5-amd64
Backend Platform: Generic AMD A4-3400 APU Dual Core
Backend Memory: 3.5G
Total Attempts: 13356
Avg. Attempt/s: 2.71

Postmortem:
67.136.48.186 was *unable* to successfully authenticate to any valid user.
Attack was mitigated at the firewall (DROP).
abuse@integratelecom.com was contacted about this event.

Further Information:
Fail2ban did not detect the attack, research ongoing.
Fail2ban's ability to check logging may have been overwhelmed.
All logging is done remotely, no local logging occurs.
The RPI handled the traffic/load well, never swapped.

Log Excerpt:

Feb 22 18:14:05 hcpi004 dovecot: auth-worker(8400): sql(support,67.136.48.186): unknown user
Feb 22 18:14:12 hcpi004 dovecot: auth-worker(8400): sql(support,67.136.48.186): unknown user
Feb 22 18:14:15 hcpi004 dovecot: auth-worker(8400): sql(info,67.136.48.186): unknown user
Feb 22 18:14:15 hcpi004 dovecot: auth-worker(8400): sql(help,67.136.48.186): unknown user
Feb 22 18:14:24 hcpi004 dovecot: auth-worker(8400): sql(support,67.136.48.186): unknown user
Feb 22 18:14:26 hcpi004 dovecot: auth-worker(8400): sql(help,67.136.48.186): unknown user
Feb 22 18:14:27 hcpi004 dovecot: auth-worker(8400): sql(info,67.136.48.186): unknown user
Feb 22 18:14:28 hcpi004 dovecot: auth-worker(8400): sql(spam,67.136.48.186): unknown user
Feb 22 18:14:40 hcpi004 dovecot: auth-worker(8400): sql(administrator,67.136.48.186): unknown user
Feb 22 18:14:43 hcpi004 dovecot: auth-worker(8400): sql(support,67.136.48.186): unknown user

*SNIP*

Feb 22 19:35:23 hcpi004 dovecot: auth-worker(25283): sql(bridgette,67.136.48.186): unknown user
Feb 22 19:35:25 hcpi004 dovecot: auth-worker(25283): sql(danielle,67.136.48.186): unknown user
Feb 22 19:35:25 hcpi004 dovecot: auth-worker(25283): sql(coach,67.136.48.186): unknown user
Feb 22 19:36:39 hcpi004 dovecot: auth-worker(26746): sql(chuck,67.136.48.186): unknown user
Feb 22 19:36:43 hcpi004 dovecot: auth-worker(26746): sql(bryson,67.136.48.186): unknown user
Feb 22 19:36:45 hcpi004 dovecot: auth-worker(26746): sql(denise,67.136.48.186): unknown user
Feb 22 19:36:45 hcpi004 dovecot: auth-worker(26746): sql(dev,67.136.48.186): unknown user
Feb 22 19:36:46 hcpi004 dovecot: auth-worker(26746): sql(bridget,67.136.48.186): unknown user
Feb 22 19:36:46 hcpi004 dovecot: auth-worker(26746): sql(dominic,67.136.48.186): unknown user
Feb 22 19:36:46 hcpi004 dovecot: auth-worker(26746): sql(dakota,67.136.48.186): unknown user

Database Server Build

More for my records than anyone elses. Still someone may find some use for this information.

I started off by doing a standard network install of Debian Woody. After that I installed ssh and got to work.

Before doing anything else, I create a “poor man’s” disk mirror. This probably isn’t the best solution but it works for my needs. The first thing we need to do here is take a look at the current partition info:

venus:/# df | grep ^/dev
/dev/hde2 1999804 100580 1899224 6% /
/dev/hde1 999868 42036 957832 5% /boot
/dev/hde5 4000088 163476 3836612 5% /usr
/dev/hde6 999868 32840 967028 4% /tmp
/dev/hde7 4000088 37680 3962408 1% /home
/dev/hde8 16028688 198940 15829748 2% /var

The easiest way I have found to mirror the partition structure is using sfdisk.

venus:~# sfdisk -d /dev/hde | sfdisk /dev/hdg

sfdisk sends quite a bit of information to STDOUT, but the important data looks something like this:

Device Boot Start End #sectors Id System
/dev/hdg1 * 63 1999871 1999809 83 Linux
/dev/hdg2 1999872 5999615 3999744 83 Linux
/dev/hdg3 56058912 60058655 3999744 82 Linux swap
/dev/hdg4 5999616 56058911 50059296 5 Extended
/dev/hdg5 5999679 14000111 8000433 83 Linux
/dev/hdg6 14000175 15999983 1999809 83 Linux
/dev/hdg7 16000047 24000479 8000433 83 Linux
/dev/hdg8 24000543 56058911 32058369 83 Linux
Successfully wrote the new partition table

Re-reading the partition table …

The reiserfs filesystem was used, so reiserfsprogs is needed:

venus:/# apt-get install reiserfsprogs
venus:/# mkfs.reiserfs /dev/hdg2 (all the way through /dev/hdg8 from above)
Created a directory structure for mount points.
Mounted all the hdg filesystems.

venus:/# mount | grep ^/dev
/dev/hde2 on / type reiserfs (rw)
/dev/hde1 on /boot type reiserfs (rw)
/dev/hde5 on /usr type reiserfs (rw)
/dev/hde6 on /tmp type reiserfs (rw)
/dev/hde7 on /home type reiserfs (rw)
/dev/hde8 on /var type reiserfs (rw)
/dev/hdg2 on /SYSMIRROR/root type reiserfs (rw)
/dev/hdg1 on /SYSMIRROR/boot type reiserfs (rw)
/dev/hdg5 on /SYSMIRROR/usr type reiserfs (rw)
/dev/hdg6 on /SYSMIRROR/tmp type reiserfs (rw)
/dev/hdg7 on /SYSMIRROR/home type reiserfs (rw)
/dev/hdg8 on /SYSMIRROR/var type reiserfs (rw)

Created a system mirroring script and tested it:

venus:/SYSMIRROR# cat /usr/local/bin/sysmirror.sh
#!/bin/sh
cp -aux / /SYSMIRROR/root
cp -aux /boot/* /SYSMIRROR/boot
cp -aux /usr/* /SYSMIRROR/usr
cp -aux /tmp/* /SYSMIRROR/tmp
cp -aux /home/* /SYSMIRROR/home
cp -aux /var/* /SYSMIRROR/var
touch /var/log/sysmirror

After testing was completed, /etc/fstab was updated with the filesystems.

/dev/hde2 / reiserfs defaults 0 0
/dev/hde3 none swap sw 0 0
proc /proc proc defaults 0 0
/dev/fd0 /floppy auto user,noauto 0 0
/dev/cdrom /cdrom iso9660 ro,user,noauto 0 0
/dev/hde1 /boot reiserfs defaults 0 0
/dev/hde5 /usr reiserfs defaults 0 0
/dev/hde6 /tmp reiserfs defaults 0 0
/dev/hde7 /home reiserfs defaults 0 0
/dev/hde8 /var reiserfs defaults 0 0

/dev/hdg2 /SYSMIRROR/root reiserfs defaults 0 0
/dev/hdg1 /SYSMIRROR/boot reiserfs defaults 0 0
/dev/hdg5 /SYSMIRROR/usr reiserfs defaults 0 0
/dev/hdg6 /SYSMIRROR/tmp reiserfs defaults 0 0
/dev/hdg7 /SYSMIRROR/home reiserfs defaults 0 0
/dev/hdg8 /SYSMIRROR/var reiserfs defaults 0 0

reboot

Added crontab entry for the mirroring:

venus:~# crontab -l
#####
# Hourly entries
#####
00 * * * * /usr/local/bin/sysmirror.sh > /dev/null 2>&1

Updated /etc/apt/sources.list to move to Sarge

deb http://mirrors.kernel.org/debian/ sarge main non-free contrib
deb-src http://mirrors.kernel.org/debian/ sarge main non-free contrib
deb http://non-us.debian.org/debian-non-US sarge/non-US main contrib non-free
deb-src http://non-us.debian.org/debian-non-US sarge/non-US main contrib non-free
deb http://security.debian.org/ sarge/updates main contrib non-free

apt-get update
apt-get upgrade
apt-get dist-upgrade

Installed the following deb packages:

smp kernel
mysql
ntp-refclock
bind9
ssmtp
host

Created directory structure for NFS mount points and system backup:
Kludged a script together to backup over the network:

venus:~# cat /usr/local/bin/nfsmirror.sh
#!/bin/sh
mount 10.1.1.1:/DATA/backup /DATA
cp -aux / /DATA/venus/root
cp -aux /boot/* /DATA/venus/boot
cp -aux /home/* /DATA/venus/home
cp -aux /usr/* /DATA/venus/usr
cp -aux /var/* /DATA/venus/var
cp -aux /tmp/* /DATA/venus/tmp
touch /var/log/nfsmirror
umount /DATA

Added cron entry to backup entire system to the NFS mount once per day:

venus:~# crontab -l
#####
# Hourly entries
#####
00 * * * * /usr/local/bin/sysmirror.sh > /dev/null 2>&1

#####
# Daily entries
#####
30 00 * * * /usr/local/bin/nfsmirror.sh > /dev/null 2>&1

Installed mysqlbu.pl script.
Edited to fit environment.
Added cron entry to backup all databases once per hour, just prior to hourly system mirror:

#####
# Hourly entries
#####
00 * * * * /usr/local/bin/sysmirror.sh > /dev/null 2>&1
45 * * * * /usr/local/bin/mysqlbu.pl > /dev/null 2>&1

#####
# Daily entries
#####
30 00 * * * /usr/local/bin/nfsmirror.sh > /dev/null 2>&1