Prev: DSN without attachment?
Next: How Virtual users?
From: "John te Bokkel / Tempus" on 12 May 2010 10:40
I came across an interesting attack when I was setting up fail2ban. My
fail2ban config didn't have the ignoreip variable set correctly so I
ended up accidentally temp banning localhost, but it brought an
interesting bit of log to my attention.

9100 May 10 12:00:42 [postfix/smtpd] < unknown[190.144.44.228]:
dGVzdA==
9101 May 10 12:00:42 [postfix/smtpd] xsasl_cyrus_server_next: decoded
response: test
9102 May 10 12:00:42 [postfix/smtpd] xsasl_cyrus_server_auth_response:
uncoded server challenge: Password:
9103 May 10 12:00:42 [postfix/smtpd] > unknown[190.144.44.228]: 334
UGFzc3dvcmQ6
9104 May 10 12:00:42 [postfix/smtpd] < unknown[190.144.44.228]:
YWRtaW4=
9105 May 10 12:00:42 [postfix/smtpd] xsasl_cyrus_server_next: decoded
response: admin
9106 May 10 12:00:42 [postfix/smtpd] xsasl_cyrus_server_auth_response:
uncoded server challenge: Password:
9107 May 10 12:00:42 [postfix/smtpd] > unknown[190.144.44.228]: 334
UGFzc3dvcmQ6
9108 May 10 12:00:42 [postfix/smtpd] < unknown[190.144.44.228]:
aW5mbw==
9109 May 10 12:00:42 [postfix/smtpd] xsasl_cyrus_server_next: decoded
response: info
9110 May 10 12:00:42 [postfix/smtpd] xsasl_cyrus_server_auth_response:
uncoded server challenge: Password:
9111 May 10 12:00:42 [postfix/smtpd] > unknown[190.144.44.228]: 334
UGFzc3dvcmQ6
9112 May 10 12:00:42 [postfix/smtpd] < unknown[190.144.44.228]:
cG9zdG1hc3Rlcg==
9113 May 10 12:00:42 [postfix/smtpd] xsasl_cyrus_server_next: decoded
response: postmaster
9114 May 10 12:00:42 [postfix/smtpd] xsasl_cyrus_server_auth_response:
uncoded server challenge: Password:
9115 May 10 12:00:42 [postfix/smtpd] > unknown[190.144.44.228]: 334
UGFzc3dvcmQ6
9116 May 10 12:00:42 [postfix/smtpd] < unknown[190.144.44.228]:
d2VibWFzdGVy
9117 May 10 12:00:42 [postfix/smtpd] xsasl_cyrus_server_next: decoded
response: webmaster
9118 May 10 12:00:42 [postfix/smtpd] xsasl_cyrus_server_auth_response:
uncoded server challenge: Password:
9119 May 10 12:00:42 [postfix/smtpd] > unknown[190.144.44.228]: 334
UGFzc3dvcmQ6
9120 May 10 12:00:42 [postfix/smtpd] < unknown[190.144.44.228]:
dGVzdA==
9121 May 10 12:00:42 [postfix/smtpd] xsasl_cyrus_server_next: decoded
response: test
9122 May 10 12:00:42 [imapd] Connection, ip=[::ffff:127.0.0.1]
9123 May 10 12:00:42 [authdaemond] received auth request,
service=imap, authtype=login
9124 May 10 12:00:42 [authdaemond] authpam: trying this module
9125 May 10 12:00:42 [authdaemond] authpam: username 'test' not found
in password file
9126 May 10 12:00:42 [authdaemond] authpam: REJECT - try next module
9127 May 10 12:00:42 [authdaemond] authshadow: trying this module
9128 May 10 12:00:42 [authdaemond] authshadow: REJECT - try next
module
9129 May 10 12:00:42 [authdaemond] FAIL, all modules rejected
9130 May 10 12:00:42 [imapd] LOGIN FAILED, user=test, ip=[::ffff:127.0.0.1]

I have left out the other auth requests for admin, info, postmaster,
and webmaster as they follow the same pattern. What it looks like to
me is that postfix/smtpd is taking care of the decoding and then
passing on the decoded request to the authentication system.

Is there a way to pass the real source ip address to
imapd/authdaemond? or perhaps I need to change the way the auth is
done? I would like to be able to ban the offending ip as the attack is
happening.

Regards,
John teBokkel

 | 
Pages: 1
Prev: DSN without attachment?
Next: How Virtual users?