| Re: Security Breaches [message #102755 is a reply to message #102753] |
Wed, 15 May 2013 17:11   |
InterHmai
Messages: 13
Registered: November 2007
|
|
|
|
BePo wrote on Wed, 15 May 2013 16:12Attacks and probes are just normal if you have a computer connected to internet. Sad
Correct. In our specific case, we had IMAP available, but staff do not have instructions on how to use it. So if anyone uses it, it stands out. Or if there are failed logins via IMAP it stands out.
Looking back at our kerio security log, we had pretty much 0 IMAP activity until March, then some failed IMAP logins here and there up until May when the compromised account reports started coming in. We had 2 reported accounts compromised. On the 2nd one, I caught the tail-end of the attack and saw an open IMAP connection on the compromised account that should not have been there. Then I shut down IMAP service entirely and initiated password resets.
So no indication of password hammering, but some probing via IMAP. Then successful entry (apparently via IMAP), and subsequent sending of spam.
|
|
|
|
| Re: Security Breaches [message #102760 is a reply to message #102755] |
Wed, 15 May 2013 18:08 |
BePo
Messages: 12
Registered: May 2013
Location: Germany
|
|
|
|
InterHmai wrote on Wed, 15 May 2013 17:11
So no indication of password hammering, but some probing via IMAP. Then successful entry (apparently via IMAP), and subsequent sending of spam.
I agree in low probing or no probing during the past 9 months - this month we had 700 attempts on SMTP within 4 days from ONE single ip. The particular probe was in "stealth style" 8 to 15 mins between each try.
As a consequence I installed fail2ban to monitor IMAP and SMTP login failures - 3 attempts within 1 hour will hopefully block those probing.
fail2ban is a little bit tricky to install for Kerio - regexp for date/time stamp.
If someone requires details for fail2ban please let me know.
|
|
|
|
|
|
| Re: Security Breaches [message #102822 is a reply to message #102761] |
Thu, 16 May 2013 22:07 |
Machete
Messages: 187
Registered: February 2012
Location: United States
|
|
|
|
FWIW - Looking back over the last 2-3 months, this is all I have in my security log on failed login attempts:
[16/May/2013 12:03:12] SMTP: User info<_at_>[mydomain].com doesn't exist. Attempt from IP address 180.159.216.41.
[16/May/2013 12:03:18] Failed SMTP login from 180.159.216.41 with SASL method LOGIN.
|
|
|
|
| Re: Security Breaches [message #102909 is a reply to message #102200] |
Sun, 19 May 2013 20:31 |
andrewrob
Messages: 40
Registered: November 2007
|
|
|
|
|
I have started a full password reset but as we have 290 users I am doing it bit by bit. My problem is now on the security log its full of password errors as people change their password and forget to go and change all the different programs they use! I cant tell what is hacking and what is legit people!
|
|
|
|
| Re: Security Breaches [message #102968 is a reply to message #102200] |
Mon, 20 May 2013 18:18 |
tonyswu
Messages: 86
Registered: July 2010
Location: Bellevue, WA
|
|
|
|
|
We had this open to one of our user last week. I don't think the problem is with Kerio though, to be honest. We host some 300 users on our Kerio server, and if the problem is with Kerio I would expect a much bigger impact than 1 user. I definitely think their password was compromised elsewhere and used to login to their mail account.
|
|
|
|
Members
Search
Help
Register
Login
Home
