Tag Archives: mysql

Email Server Attack

Type: Brute Force
Protocol: POP3
OS: Linux 3.6.11+ armv6l
Platform: Pi Rev. B
Memory: 512M
Daemon: Dovecot 2.1.7-7
Backend Daemon: MySQL 5.5
Backend OS: Linux 2.6.32-5-amd64
Backend Platform: Generic AMD A4-3400 APU Dual Core
Backend Memory: 3.5G
Total Attempts: 13356
Avg. Attempt/s: 2.71

Postmortem:
67.136.48.186 was *unable* to successfully authenticate to any valid user.
Attack was mitigated at the firewall (DROP).
abuse@integratelecom.com was contacted about this event.

Further Information:
Fail2ban did not detect the attack, research ongoing.
Fail2ban's ability to check logging may have been overwhelmed.
All logging is done remotely, no local logging occurs.
The RPI handled the traffic/load well, never swapped.

Log Excerpt:

Feb 22 18:14:05 hcpi004 dovecot: auth-worker(8400): sql(support,67.136.48.186): unknown user
Feb 22 18:14:12 hcpi004 dovecot: auth-worker(8400): sql(support,67.136.48.186): unknown user
Feb 22 18:14:15 hcpi004 dovecot: auth-worker(8400): sql(info,67.136.48.186): unknown user
Feb 22 18:14:15 hcpi004 dovecot: auth-worker(8400): sql(help,67.136.48.186): unknown user
Feb 22 18:14:24 hcpi004 dovecot: auth-worker(8400): sql(support,67.136.48.186): unknown user
Feb 22 18:14:26 hcpi004 dovecot: auth-worker(8400): sql(help,67.136.48.186): unknown user
Feb 22 18:14:27 hcpi004 dovecot: auth-worker(8400): sql(info,67.136.48.186): unknown user
Feb 22 18:14:28 hcpi004 dovecot: auth-worker(8400): sql(spam,67.136.48.186): unknown user
Feb 22 18:14:40 hcpi004 dovecot: auth-worker(8400): sql(administrator,67.136.48.186): unknown user
Feb 22 18:14:43 hcpi004 dovecot: auth-worker(8400): sql(support,67.136.48.186): unknown user

*SNIP*

Feb 22 19:35:23 hcpi004 dovecot: auth-worker(25283): sql(bridgette,67.136.48.186): unknown user
Feb 22 19:35:25 hcpi004 dovecot: auth-worker(25283): sql(danielle,67.136.48.186): unknown user
Feb 22 19:35:25 hcpi004 dovecot: auth-worker(25283): sql(coach,67.136.48.186): unknown user
Feb 22 19:36:39 hcpi004 dovecot: auth-worker(26746): sql(chuck,67.136.48.186): unknown user
Feb 22 19:36:43 hcpi004 dovecot: auth-worker(26746): sql(bryson,67.136.48.186): unknown user
Feb 22 19:36:45 hcpi004 dovecot: auth-worker(26746): sql(denise,67.136.48.186): unknown user
Feb 22 19:36:45 hcpi004 dovecot: auth-worker(26746): sql(dev,67.136.48.186): unknown user
Feb 22 19:36:46 hcpi004 dovecot: auth-worker(26746): sql(bridget,67.136.48.186): unknown user
Feb 22 19:36:46 hcpi004 dovecot: auth-worker(26746): sql(dominic,67.136.48.186): unknown user
Feb 22 19:36:46 hcpi004 dovecot: auth-worker(26746): sql(dakota,67.136.48.186): unknown user

Building a MySQL Capable Postfix RPM

Build Environment:
CentOS 5 x86_64
Postfix 2.3.3 Sources
gcc version 4.1.2 20080704 (Red Hat 4.1.2-44)

2.6.18-164.el5 #1 SMP Thu Sep 3 03:28:30 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux

# Get the src
1) wget http://mirror.centos.org/centos/5.3/centosplus/SRPMS/postfix-2.3.3-2.1.centos.mysql_pgsql.src.rpm

# Install the src RPM
2) rpm -i postfix-2.3.3-2.1.centos.mysql_pgsql.src.rpm

# Install some dependencies I didn’t have
3.1) yum install pcre-devel
3.2) yum install rpm-build
3.3) yum install mysql-devel.x86_64 openldap-devel.x86_64 db4-devel.x86_64
3.4) yum install gcc.x86_64

# Edit SPECS; remove postgres support
4.1) cd /usr/src/redhat/SPECS
4.2) vi postfix.spec and change “%%define PGSQL 1” to “%define PGSQL 0”
# I didn’t want Postgres support
4.3) “%define MYSQL 1” was already defined for me

# Build the new rpm
5) rpmbuild -ba postfix.spec # Ignore warnings

# Install the new rpm
6.1) cd /usr/src/redhat/RPMS
6.2) rpm -i postfix-2.3.3-2.1.centos.mysql_pgsql.x86_64.rpm

Building an RPM build environment: CentOS Wiki

Debian: Email Server Build

Another semi-how-to for my old email server build.

1. Partition harddrive:
/boot 150MB Primary hda1 bootable
/ 3000MB Logical hda5
/var 15000MB Logical hda6
/home 6000MB Logical hda7
swap 1024MB Primary hda3 end of drive
/usr Balance Logical hda8

2. Activate swap partition
3. Initialize / first, then the rest (all partitions ext3)
4. Install kernel
5. Configure network
6. Install base system via http
7. Make system bootable
a. Install lilo into the MBR
b. Put all entries into menu
8. Reboot system
9. Remove pcmcia packages
10. Cancel out of all package managers (tasksel and apt)
11. No configuration of email system (exim)
12. Edit /etc/apt/sources.list to run Sarge:
deb http://debian.mirrors.pair.com sarge main non-free contrib
deb http://ftp.uk.debian.org/debian-non-US sarge/non-US main non-free contrib
deb http://security.debian.org/ sarge/updates main contrib non-free
13. apt-get update
14. apt-get dist-upgrade (may have to run multiple times)
15. apt-get install dhcp3-server (use config in cvs)
16. apt-get install bind9 (use namedb files in cvs)
17. apt-get install apache-common (use config in cvs)
18. apt-get install postfix-tls postfix-mysql
a. Internet with smarthost
b. mail.mchsi.com (for relaying)
c. noc@tekengine.net (added to aliases)
19. Configure postfix main.cf
a. useradd virtual (same uid/gid list in main.cf)
b. mkdir /var/virtual (chmod 750, chown virtual)
c. copy virtual dir to current server
d. copy mysql* files to /etc/postfix (use files in cvs)
e. /etc/init.d/postfix restart
f. mailq to check queue status
20. apt-get install libsasl2-modules libsasl2-modules-mysql
a. configure main.cf (check cvs)
b. copy smtpd.conf to /etc/postfix/sasl (file in cvs)
21. Test connectivity
a. telnet mercury 25
b. send email using client on LAN
22. apt-get install amavisd-new clamav-daemon spamassassin
a. accept defaults
23. apt-get install courier-imap-ssl courier-authmysql courier-pop-ssl
a. edit authdaemon
b. edit authmysql
c. /etc/init.d/courier-authdaemon
24. Edit amavis conf file to desired thresholds
25. Edit master.cf and main.cf to use amavisd

conf files:
/etc/courier/authmysqlsrc
/etc/postfix/mysql*
/etc/postfix/sasl/smtpd.conf
squirrelmail config