I have port 143 open so that I can get my mail when away from home. Occasionally, though, my router reports things like
Thu, 2008-03-27 02:00:11 - TCP Packet - Source:200.122.134.9,3821 Destination:88.97.17.41,143 - [IMAP rule match] Thu, 2008-03-27 05:39:49 - TCP Packet - Source:140.127.181.141,3461 Destination:88.97.17.41,143 - [IMAP rule match] Thu, 2008-03-27 16:10:03 - TCP Packet - Source:80.88.161.125,2352 Destination:88.97.17.41,143 - [IMAP rule match]
Looking at those addresses in whois, I don't see any good reason for these, and I'm concerned in case they are relays. Advice?
Anne
Anne Wilson wrote on Fri, 28 Mar 2008 09:23:30 +0000:
Looking at those addresses in whois, I don't see any good reason for these,
I don't know what [IMAP rule match] means, haven't ever seen this. But it should be clear that if you have well-known ports open to the world that these attract brute-force attacks and such. That's how it is.
and I'm concerned in case they are relays.
I'm not sure what you mean by that?
Kai
On Friday 28 March 2008 10:31:19 Kai Schaetzl wrote:
Anne Wilson wrote on Fri, 28 Mar 2008 09:23:30 +0000:
Looking at those addresses in whois, I don't see any good reason for these,
I don't know what [IMAP rule match] means, haven't ever seen this. But it should be clear that if you have well-known ports open to the world that these attract brute-force attacks and such. That's how it is.
Yes, I understand that. The imap port has to be open for me to use it when I'm away from home. I can see how attempts would pass the router firewall, given that. Hopefully the fail2ban on my server is dealing with a brute-force attack.
and I'm concerned in case they are relays.
I'm not sure what you mean by that?
These, it seems, are outgoing packets. Why, then, have they got those source addresses? Is someone managing to bounce packets through my mail server to hide their tracks?
I've never seen many of these, just the occasional one. Sometimes they seem to relate to an ntp source. Often they seem to come from a university site. I think the fact that I don't see many means that I'm not being used as an open relay, but I'm not 100% confident of that. I'd like to understand what's happening.
Anne
These, it seems, are outgoing packets. Why, then, have they got those source addresses? Is someone managing to bounce packets through my mail server to hide their tracks?
I've never seen many of these, just the occasional one. Sometimes they seem to relate to an ntp source. Often they seem to come from a university site. I think the fact that I don't see many means that I'm not being used as an open relay, but I'm not 100% confident of that. I'd like to understand what's happening.
open relay is not to so with IMAP - thats SMTP
if this is an issue rather than just forwarding the ports setup an openvpn server on your LAN machine access your LAN using the VPN.
Anne Wilson wrote:
These, it seems, are outgoing packets. Why, then, have they got those source addresses? Is someone managing to bounce packets through my mail server to hide their tracks?
Presumably those logs are for incoming connections in your router (looks like a netgear log to me). The source IP address is the address of the host trying to connect to your imap service (port 143)
I've never seen many of these, just the occasional one. Sometimes they seem to relate to an ntp source. Often they seem to come from a university site. I think the fact that I don't see many means that I'm not being used as an open relay, but I'm not 100% confident of that. I'd like to understand what's happening.
Again, "being an open relay" refers to spammers being able to send (or relay) mail through your smtp server (port 25). IMAP is a protocol for you to retrieve mail, not send it.
You can check your mail server is not acting as an open relay here:
http://www.abuse.net/relay.html
It's probably a good idea to check each time you change something in /etc/postfix/main.cf if you are not 100% sure.
On Friday 28 March 2008 11:14:39 Ned Slider wrote:
Anne Wilson wrote:
These, it seems, are outgoing packets. Why, then, have they got those source addresses? Is someone managing to bounce packets through my mail server to hide their tracks?
Presumably those logs are for incoming connections in your router (looks like a netgear log to me). The source IP address is the address of the host trying to connect to your imap service (port 143)
I've never seen many of these, just the occasional one. Sometimes they seem to relate to an ntp source. Often they seem to come from a university site. I think the fact that I don't see many means that I'm not being used as an open relay, but I'm not 100% confident of that. I'd like to understand what's happening.
Again, "being an open relay" refers to spammers being able to send (or relay) mail through your smtp server (port 25). IMAP is a protocol for you to retrieve mail, not send it.
You can check your mail server is not acting as an open relay here:
http://www.abuse.net/relay.html
It's probably a good idea to check each time you change something in /etc/postfix/main.cf if you are not 100% sure.
Thanks for the suggestion. I've had a look at the site, and even tried it, but I don't think it's designed for those of us who collect mail from the ISP's server. If I'm wrong I register with an address that the ISP knows and try again, but it seems to me that it will be testing them, not me.
Anne
Anne Wilson wrote on Fri, 28 Mar 2008 10:50:08 +0000:
These, it seems, are outgoing packets.
No, they are incoming. They have various sources and one destination and I suppose that's your server's IP. So they are incoming.
open relay,
Relaying is SMTP. And you will see all sorts of connects on SMTP, too, but this doesn't mean they all are relay attempts ;-)
I just read Ned's reply and recognize I missed that part "my router" of your message. It's indeed just your packet filter reporting that it forwarded a packet on port 143 as instructed.
Kai
On Friday 28 March 2008 13:31:16 Kai Schaetzl wrote:
Anne Wilson wrote on Fri, 28 Mar 2008 10:50:08 +0000:
These, it seems, are outgoing packets.
No, they are incoming. They have various sources and one destination and I suppose that's your server's IP. So they are incoming.
open relay,
Relaying is SMTP. And you will see all sorts of connects on SMTP, too, but this doesn't mean they all are relay attempts ;-)
I just read Ned's reply and recognize I missed that part "my router" of your message. It's indeed just your packet filter reporting that it forwarded a packet on port 143 as instructed.
That sounds nothing to worry about, then. I'm in the learning process of separating the log messages that say 'bear this in mind' and those that say 'do something about this, quick' :-)
Anne
Anne Wilson wrote:
I have port 143 open so that I can get my mail when away from home. Occasionally, though, my router reports things like
Thu, 2008-03-27 02:00:11 - TCP Packet - Source:200.122.134.9,3821 Destination:88.97.17.41,143 - [IMAP rule match] Thu, 2008-03-27 05:39:49 - TCP Packet - Source:140.127.181.141,3461 Destination:88.97.17.41,143 - [IMAP rule match] Thu, 2008-03-27 16:10:03 - TCP Packet - Source:80.88.161.125,2352 Destination:88.97.17.41,143 - [IMAP rule match]
If you open ports, you will see folks scanning them - it's inevitable. A public mail server will attract interest from those wishing to exploit it.
Looking at those addresses in whois, I don't see any good reason for these, and I'm concerned in case they are relays. Advice?
Those looking for relays would be more interested in the smtp port 25. The IMAP port is the port you connect to to receive your mail. As long as your imap server (dovecot, courier-imap) is fully patched and presumably secure then you should be OK.
Advice - one potential weakness is that by default your username and password is likely being sent in plain text (not a good idea!). Someone could potentially intercept your username and password and access/use your email account. If that username/password is also your system account then potentially that could be compromised too.
There are a number of things you can do to harden your security. You could set up an additional user account with nologin for email so if the username/password does get compromised it's limited to purely email. You could run imap services on a non-standard port (security through obscurity), or firewall the connection to only allow trusted IP addresses (works if you always conect from known trusted IP addresses). None of these solutions are perfect, so probably the best method is to encrypt the connection using SSl. See howto here (for postfix/dovecot):
http://wiki.centos.org/HowTos/postfix_sasl
Hope that helps,
Ned
On Friday 28 March 2008 11:06:06 Ned Slider wrote:
Anne Wilson wrote:
I have port 143 open so that I can get my mail when away from home. Occasionally, though, my router reports things like
Thu, 2008-03-27 02:00:11 - TCP Packet - Source:200.122.134.9,3821 Destination:88.97.17.41,143 - [IMAP rule match] Thu, 2008-03-27 05:39:49 - TCP Packet - Source:140.127.181.141,3461 Destination:88.97.17.41,143 - [IMAP rule match] Thu, 2008-03-27 16:10:03 - TCP Packet - Source:80.88.161.125,2352 Destination:88.97.17.41,143 - [IMAP rule match]
If you open ports, you will see folks scanning them - it's inevitable. A public mail server will attract interest from those wishing to exploit it.
Looking at those addresses in whois, I don't see any good reason for these, and I'm concerned in case they are relays. Advice?
Those looking for relays would be more interested in the smtp port 25. The IMAP port is the port you connect to to receive your mail. As long as your imap server (dovecot, courier-imap) is fully patched and presumably secure then you should be OK.
It is.
Advice - one potential weakness is that by default your username and password is likely being sent in plain text (not a good idea!). Someone could potentially intercept your username and password and access/use your email account. If that username/password is also your system account then potentially that could be compromised too.
My various mail passwords are not system passwords, so at least that is avoided.
There are a number of things you can do to harden your security. You could set up an additional user account with nologin for email so if the username/password does get compromised it's limited to purely email. You could run imap services on a non-standard port (security through obscurity), or firewall the connection to only allow trusted IP addresses (works if you always conect from known trusted IP addresses). None of these solutions are perfect, so probably the best method is to encrypt the connection using SSl. See howto here (for postfix/dovecot):
Thanks for the advice. It helps a lot.
Anne
Anne Wilson wrote:
On Friday 28 March 2008 11:06:06 Ned Slider wrote:
Anne Wilson wrote:
I have port 143 open so that I can get my mail when away from home. Occasionally, though, my router reports things like
Thu, 2008-03-27 02:00:11 - TCP Packet - Source:200.122.134.9,3821 Destination:88.97.17.41,143 - [IMAP rule match] Thu, 2008-03-27 05:39:49 - TCP Packet - Source:140.127.181.141,3461 Destination:88.97.17.41,143 - [IMAP rule match] Thu, 2008-03-27 16:10:03 - TCP Packet - Source:80.88.161.125,2352 Destination:88.97.17.41,143 - [IMAP rule match]
If you open ports, you will see folks scanning them - it's inevitable. A public mail server will attract interest from those wishing to exploit it.
Looking at those addresses in whois, I don't see any good reason for these, and I'm concerned in case they are relays. Advice?
Those looking for relays would be more interested in the smtp port 25. The IMAP port is the port you connect to to receive your mail. As long as your imap server (dovecot, courier-imap) is fully patched and presumably secure then you should be OK.
It is.
Advice - one potential weakness is that by default your username and password is likely being sent in plain text (not a good idea!). Someone could potentially intercept your username and password and access/use your email account. If that username/password is also your system account then potentially that could be compromised too.
My various mail passwords are not system passwords, so at least that is avoided.
There are a number of things you can do to harden your security. You could set up an additional user account with nologin for email so if the username/password does get compromised it's limited to purely email. You could run imap services on a non-standard port (security through obscurity), or firewall the connection to only allow trusted IP addresses (works if you always conect from known trusted IP addresses). None of these solutions are perfect, so probably the best method is to encrypt the connection using SSl. See howto here (for postfix/dovecot):
Thanks for the advice. It helps a lot.
Consider using imaps instead of imap. it's not hard to setup and it will prevent password sniffing as well as silly kiddie who only probe non ssl ports (my logs show a lot of 80, 21, 22, 110, 143 and currently not a single imaps).
On Friday 28 March 2008 21:14:25 mouss wrote:
There are a number of things you can do to harden your security. You could set up an additional user account with nologin for email so if the username/password does get compromised it's limited to purely email. You could run imap services on a non-standard port (security through obscurity), or firewall the connection to only allow trusted IP addresses (works if you always conect from known trusted IP addresses). None of these solutions are perfect, so probably the best method is to encrypt the connection using SSl. See howto here (for postfix/dovecot):
Thanks for the advice. It helps a lot.
Consider using imaps instead of imap. it's not hard to setup and it will prevent password sniffing as well as silly kiddie who only probe non ssl ports (my logs show a lot of 80, 21, 22, 110, 143 and currently not a single imaps).
I'll read upon it, thanks.
Anne
On Fri, Mar 28, 2008, Anne Wilson wrote:
I have port 143 open so that I can get my mail when away from home. Occasionally, though, my router reports things like
You should be using secure IMAP on port 933, not port 143 where everything is sent in clear text. I don't know about other IMAP servers, but courier-imap handles this by default.
Most current e-mail clients allow one to set this up easily, either directly or using TLS to request a secure connection on an initial connection to port 143.
This doesn't keep people from trying dictionary attacks via imaps, but it does prevent them from sniffing the connections. Of course you are using good passwords n'est pas?
Bill -- INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
Intellectually, teachers fall between education theorists and bright cocker spaniels. (Probably closer to the education theorists. The AKC has been doing wonders with spaniels.) If you think I'm kidding look at the GREs for education majors, whose scores are the lowest of all fields, and remember that these are the smart ones. -- http://www.FredOnEverything.net
On Friday 28 March 2008 16:12:24 Bill Campbell wrote:
On Fri, Mar 28, 2008, Anne Wilson wrote:
I have port 143 open so that I can get my mail when away from home. Occasionally, though, my router reports things like
You should be using secure IMAP on port 933, not port 143 where everything is sent in clear text. I don't know about other IMAP servers, but courier-imap handles this by default.
Most current e-mail clients allow one to set this up easily, either directly or using TLS to request a secure connection on an initial connection to port 143.
This doesn't keep people from trying dictionary attacks via imaps, but it does prevent them from sniffing the connections. Of course you are using good passwords n'est pas?
Not as strong as system passwords. I'll think this one through, thanks.
Anne
-
Anne Wilson -
Bill Campbell -
Kai Schaetzl -
mouss -
Ned Slider -
Tom Brown