List rogue connections

List rogue connections

Postby sjoram » Tue Aug 27, 2019 9:41 am

I'm seeing a significant increase in the number of remote rogue hosts attempting connections to AMS, mainly via SMTP.

I see these failing in the logs and login being disallowed. Is there any way to get a 'list' of addresses that have failed, for example, within the past 24 hours, so that I could add these to be dropped at a network (firewall) level? I have seen instances where CPU utilisation has spiked with AMS and I have had to restart the service to recover. My suspicion is due to spikes in concurrent rogue connections.
sjoram
 
Posts: 25
Joined: Fri Sep 26, 2008 10:45 pm

Re: List rogue connections

Postby Code Crafters » Tue Aug 27, 2019 10:10 pm

You can only gather this information from the SMTP logs as you mentioned.

If you want us to create you a custom app to search the logs and output certain offending IPs to another file, we can give you a quote to do this. If interested, contact info@codecrafters.com for more information.
Code Crafters
 
Posts: 879
Joined: Mon Sep 10, 2007 2:35 pm

Re: List rogue connections

Postby sjoram » Fri Aug 30, 2019 10:16 pm

Thanks, I have dropped a /16 network on my firewall which has eliminated a fair swathe of recent rogue traffic.

I'm still seeing AMS sitting at no less than 50% CPU and having spikes up towards 100% when clients connect. One mobile device has started having problems with both push (IDLE) and fetch style IMAP in the past few days.

I am running an older version of 3.x that hasn't had an update in quite some time and has only recently begun exhibiting this behaviour, so I can't even be sure that upgrading to the latest version 4.x will improve, but that is on my list to do in the near future. Home server, so budget considerations! :D
sjoram
 
Posts: 25
Joined: Fri Sep 26, 2008 10:45 pm

Re: List rogue connections

Postby sjoram » Sat Aug 31, 2019 7:20 am

I've now switched all of my Android clients to fetch every 15 mins rather than operate on push and they seem to have settled, for now.

One was refusing to connect at all for some time due to a "security error". I'm using a Let's Encrypt wildcard SSL which is working fine on other clients.

I had used IISCrypto set to 'best practices', I re-enabled some old protocols in case that was causing an issue, but haven't rebooted the OS since making that change.
sjoram
 
Posts: 25
Joined: Fri Sep 26, 2008 10:45 pm

Re: List rogue connections

Postby Code Crafters » Wed Sep 04, 2019 10:13 pm

Ability Mail Server 4 has a new much improved WebMail system. It also has newer SSL updates but otherwise, it may not improve your issues. You can try it free for 30 days to see if it helps though. See https://www.codecrafters.com/AbilityMailServer/Download to download a free trial and https://www.codecrafters.com/AbilityMai ... ateHistory for all updates.
Code Crafters
 
Posts: 879
Joined: Mon Sep 10, 2007 2:35 pm

Re: List rogue connections

Postby sjoram » Wed Jan 22, 2020 7:35 pm

Quick update to this for the benefit of others...

I resolved the issue I had with Android clients using the Let's Encrypt cert. It wasn't an issue with the cert per-se, but Let's Encrypt provides the ca_bundle intermediate & root certs as a separate file.
During the process of converting the Let's Encrypt cert into various formats for different applications, my lack of knowledge meant that I'd missed the fact I needed to include that as part of the certificate chain.
As soon as I did so, Android clients behaved normally. I'm only using Windows/Android devices for IMAP/SMTP and Windows behaved fine at all times, hence it took a while to spot.

With regards to the original issue, I've also found that a website is providing a free service of daily updated blacklisted IP addresses/subnets (blocklist.de, spamhaus and dshield, also known TOR nodes) in a format that my firewall can ingest to an address list through a script. This has eliminated 95% of malicious connection attempts previously seen in AMS logs. I haven't since seen any issues with a DoS type scenario. https://www.squidblacklist.org/
sjoram
 
Posts: 25
Joined: Fri Sep 26, 2008 10:45 pm

Re: List rogue connections

Postby Code Crafters » Mon Jan 27, 2020 11:08 pm

Thanks for the extra information. Hopefully this will help others.
Code Crafters
 
Posts: 879
Joined: Mon Sep 10, 2007 2:35 pm

Re: List rogue connections

Postby EKjellquist » Thu Jan 30, 2020 5:08 pm

Been using Let's Encrypt for a few years now; I use their le64.exe along with DNS verification to generate my certs for various things, I use the following command for certs for AMS specifically:

le64.exe -key <Domain Name>.key -csr <mail subdomain>.csr -csr-key <mail subdomain>.key -crt <mail subdomain>.crt -domains "<mail subdomain>" -generate-missing -handle-as dns -live

<Domain Name> is my main domain and <mail subdomain> is in the form of mail.example.com. The above will generate a 4096-bit RSA PEM-style cert with key by default that work right in AMS' cert import tool. AFAIK AMS/AFS don't yet support more rigorous ECC curve certs, but 4096 RSA is still pretty good as of this writing.

The only thing you need in this method is access to your domain registrar so you can add a temporary TXT entry (which shows that you 'own' the domain), but it's pretty quick, takes me perhaps 5 mins to process and update the certs to AMS every ~85 days or so.
EKjellquist
 
Posts: 55
Joined: Tue Sep 09, 2014 10:40 pm


Return to General

Who is online

Users browsing this forum: Google [Bot] and 2 guests

cron