[Eisfair] Mailserver Angriffe <> bfb
Rolf Bensch
azubi at bensch-net.de
Di Feb 4 12:03:45 CET 2025
Moin zusammen,
seit ca. 3 Wochen sehe ich hier massive Angriffsversuche auf den Mailserver. Das Problem sind wechselnde IP-Adressen der Angreifer:
exim-mainlog:
2025-02-04 10:03:25 cram_server authenticator failed for ([183.66.113.58]) [183.66.113.58]: 535 Incorrect authentication data (set_id=root at mydomain.de)
2025-02-04 10:03:25 cram_server authenticator failed for ([189.6.78.182]) [189.6.78.182]: 535 Incorrect authentication data (set_id=administrator at mydomain.de)
2025-02-04 10:03:25 cram_server authenticator failed for (180-222-166-212.static.dsl.net.au) [180.222.166.212]: 535 Incorrect authentication data (set_id=usenet)
2025-02-04 10:03:26 cram_server authenticator failed for ([218.93.229.146]) [218.93.229.146]: 535 Incorrect authentication data (set_id=webmaster)
2025-02-04 10:03:26 cram_server authenticator failed for ([31.173.25.73]) [31.173.25.73]: 535 Incorrect authentication data (set_id=ftp)
2025-02-04 10:03:28 cram_server authenticator failed for ([27.45.210.10]) [27.45.210.10]: 535 Incorrect authentication data (set_id=postmaster)
Heute 00:00 - 11_50 Uhr ca 8500 Angriffe mit ständig wechselnden IPs.
BFB scheint hier an eine Kapazitätsgrenze zu stoßen:
Feb 4 10:30:13 eis64-3 initfile[31156]: cat: /brute_force_blocking/atackingips: No space left on device
Feb 4 10:30:13 eis64-3 initfile[31217]: cat: /brute_force_blocking/atackingips: No space left on device
Feb 4 10:49:45 eis64-3 initfile[10271]: cat: /brute_force_blocking/atackingips: No space left on device
Feb 4 10:50:15 eis64-3 initfile[1126]: /brute_force_blocking/brute_force_blocking: line 2635: echo: write error: No space left on device
Feb 4 10:50:15 eis64-3 initfile[26881]: cat: /brute_force_blocking/atackingips: No space left on device
Feb 4 10:50:16 eis64-3 initfile[1126]: /brute_force_blocking/brute_force_blocking: line 2633: echo: write error: No space left on device
dagegen:
>df -h /brute_force_blocking/
Filesystem Size Used Avail Use% Mounted on
tmpfs 2.0M 484K 1.6M 24% /brute_force_blocking
also ist noch Platz in der RAM-Disk und bfb wurde zwischenzeitlich auch nicht neu gestartet:
> systemctl status brute_force_blocking
● brute_force_blocking.service - Brute Force Blocking service
Loaded: loaded (/usr/lib/systemd/system/brute_force_blocking.service; static)
Active: active (exited) since Fri 2025-01-31 05:34:23 CET; 4 days ago
TriggeredBy: ● brute_force_blocking.timer
Process: 558 ExecStart=/usr/local/brute_force_blocking/initfile start (code=exited, status=0/SUCCESS)
Main PID: 558 (code=exited, status=0/SUCCESS)
Tasks: 2 (limit: 4817)
CPU: 2d 18h 8min 31.807s
CGroup: /system.slice/brute_force_blocking.service
├─1126 /usr/bin/bash /brute_force_blocking/brute_force_blocking
└─7073 sleep 10
Feb 04 11:17:36 eis64-3 initfile[14000]: connect: Connection refused
Feb 04 11:17:36 eis64-3 BFB[14067]: address 5.164.185.13 blocked after 3 attempt to abuse MAIL
Feb 04 11:18:08 eis64-3 initfile[26771]: connect: Connection refused
Feb 04 11:18:08 eis64-3 BFB[26837]: address 96.79.249.93 blocked after 3 attempt to abuse MAIL
Feb 04 11:31:10 eis64-3 initfile[9812]: connect: Connection refused
Feb 04 11:31:29 eis64-3 initfile[13318]: connect: Connection refused
Feb 04 11:31:48 eis64-3 initfile[17432]: connect: Connection refused
Feb 04 11:32:25 eis64-3 initfile[28020]: connect: Connection refused
Feb 04 11:39:53 eis64-3 initfile[16142]: connect: Connection refused
Feb 04 11:39:54 eis64-3 BFB[16208]: address 103.132.199.18 blocked after 122 attempt to abuse MAIL
Wie steht das im Zusammenhang? Der Server reagiert zunehmen träge.
Gibt es ein Mittel (außer sichere Passwörter) diese Angriffe erfolgreich abzuwehren?
Grüße
Rolf
Mehr Informationen über die Mailingliste Eisfair