List rogue connections

[sjoram]

I'm seeing a significant increase in the number of remote rogue hosts attempting connections to AMS, mainly via SMTP.

I see these failing in the logs and login being disallowed. Is there any way to get a 'list' of addresses that have failed, for example, within the past 24 hours, so that I could add these to be dropped at a network (firewall) level? I have seen instances where CPU utilisation has spiked with AMS and I have had to restart the service to recover. My suspicion is due to spikes in concurrent rogue connections.

[Code Crafters]

You can only gather this information from the SMTP logs as you mentioned.

If you want us to create you a custom app to search the logs and output certain offending IPs to another file, we can give you a quote to do this. If interested, contact info@codecrafters.com for more information.

[sjoram]

Thanks, I have dropped a /16 network on my firewall which has eliminated a fair swathe of recent rogue traffic.

I'm still seeing AMS sitting at no less than 50% CPU and having spikes up towards 100% when clients connect. One mobile device has started having problems with both push (IDLE) and fetch style IMAP in the past few days.

I am running an older version of 3.x that hasn't had an update in quite some time and has only recently begun exhibiting this behaviour, so I can't even be sure that upgrading to the latest version 4.x will improve, but that is on my list to do in the near future. Home server, so budget considerations!

[sjoram]

I've now switched all of my Android clients to fetch every 15 mins rather than operate on push and they seem to have settled, for now.

One was refusing to connect at all for some time due to a "security error". I'm using a Let's Encrypt wildcard SSL which is working fine on other clients.

I had used IISCrypto set to 'best practices', I re-enabled some old protocols in case that was causing an issue, but haven't rebooted the OS since making that change.

[Code Crafters]

Ability Mail Server 4 has a new much improved WebMail system. It also has newer SSL updates but otherwise, it may not improve your issues. You can try it free for 30 days to see if it helps though. See https://www.codecrafters.com/AbilityMailServer/Download to download a free trial and https://www.codecrafters.com/AbilityMai ... ateHistory for all updates.

[sjoram]

Quick update to this for the benefit of others...

I resolved the issue I had with Android clients using the Let's Encrypt cert. It wasn't an issue with the cert per-se, but Let's Encrypt provides the ca_bundle intermediate & root certs as a separate file.
During the process of converting the Let's Encrypt cert into various formats for different applications, my lack of knowledge meant that I'd missed the fact I needed to include that as part of the certificate chain.
As soon as I did so, Android clients behaved normally. I'm only using Windows/Android devices for IMAP/SMTP and Windows behaved fine at all times, hence it took a while to spot.

With regards to the original issue, I've also found that a website is providing a free service of daily updated blacklisted IP addresses/subnets (blocklist.de, spamhaus and dshield, also known TOR nodes) in a format that my firewall can ingest to an address list through a script. This has eliminated 95% of malicious connection attempts previously seen in AMS logs. I haven't since seen any issues with a DoS type scenario. https://www.squidblacklist.org/

[Code Crafters]

Thanks for the extra information. Hopefully this will help others.

[EKjellquist]

Been using Let's Encrypt for a few years now; I use their le64.exe along with DNS verification to generate my certs for various things, I use the following command for certs for AMS specifically:

le64.exe -key <Domain Name>.key -csr <mail subdomain>.csr -csr-key <mail subdomain>.key -crt <mail subdomain>.crt -domains "<mail subdomain>" -generate-missing -handle-as dns -live

<Domain Name> is my main domain and <mail subdomain> is in the form of mail.example.com. The above will generate a 4096-bit RSA PEM-style cert with key by default that work right in AMS' cert import tool. AFAIK AMS/AFS don't yet support more rigorous ECC curve certs, but 4096 RSA is still pretty good as of this writing.

The only thing you need in this method is access to your domain registrar so you can add a temporary TXT entry (which shows that you 'own' the domain), but it's pretty quick, takes me perhaps 5 mins to process and update the certs to AMS every ~85 days or so.

[sjoram]

Thought I would post an update regarding my reference to firewall dynamic blacklists.
I found SquidBlacklist which someone had written for my router vendor, Mikrotik's RouterOS.
I was using this for a number of months but noticed that it had stopped working.
I later learned that the guy running the site and code had passed away several months prior. It had continued for a while under automation but eventually the service stopped.
I managed to find a replacement script which queries various published lists directly.
I thought I would share my RouterOS script as I'm sure it could be adapted to suit other platforms.
I have the script running once daily or on reboot. The first action is to clear the existing content of the list and then re-import the latest entries.
I then have a firewall rule at the top of my policy before anything else to drop any traffic with a source address matching the list.
I also have a further list & rules for IP addresses or subnets manually added from being observed in AMS logs etc.

Code: Select all

/ip firewall address-list remove [/ip firewall address-list find list=dynamicblacklist]
/ip firewall address-list
:local update do={
:do {
:local data ([:tool fetch url=$url output=user as-value]->"data")
remove [find list=blacklist comment=$description]
:while ([:len $data]!=0) do={
:if ([:pick $data 0 [:find $data "\n"]]~"^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}") do={
:do {add list=dynamicblacklist address=([:pick $data 0 [:find $data $delimiter]].$cidr) timeout=2d} on-error={}
}
:set data [:pick $data ([:find $data "\n"]+1) [:len $data]]
}
} on-error={:log warning "Address list <$description> update failed"}
}
$update url=http://feeds.dshield.org/block.txt description="dshield" delimiter=("\t") cidr=/24
$update url=http://www.spamhaus.org/drop/drop.txt description="spamhausdrop" delimiter=("\_")
$update url=http://www.spamhaus.org/drop/edrop.txt description="spamhausextended" delimiter=("\_")
$update url=http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist-high.txt description="bambenek" delimiter=("\2C")
$update url=https://sslbl.abuse.ch/blacklist/sslipblacklist.txt description="abuse-ch" delimiter=("\r")
$update url=http://malc0de.com/bl/IP_Blacklist.txt description="Malc0de" delimiter=("\n")
$update url=https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level2.netset description="FireHOL Level2" delimiter=("\n")


[Code Crafters]

Thanks for the update.