Someone is trying to hack in my mail server what can I do?
-
I have a mail server and during the past 3 days I get about 3 emails a day claiming someone at a changing ip is trying to get into my mail server, it shows me an IP address that changes with each hacking attempt mail I get.
Sometimes the message will show me the E-mail account they are trying to get in with, and often they are old address from old employee's
On my mail server I lock out an IP after 5 bad password attempts. I am wondering if there is a solution on the firewall (pfsense) side before it hits my mail server, often the IP addresses are US based where many of my users are but not from their state.
I don't use SNORT or any other blockers like this, should I be? would these help? Any advice would be appreciated.
-
How are you locking out the bad IPs at the mail server?
I use a FreeBSD postfix/fail2ban VM in front of my mail server. It passes bad IPs back to pfSense, via openBGP, for blocking at the firewall. It's not what openBGP is really intended for but it works very well.
Using postfix (not the "unofficial" pfSense package) has a lot of anti-spam benefits.
-
Hi what mail server do you use?
-
.... qmail ?
Ok, more serious : securing a 'postfix' based mail server is very well documented on the net.
Actually, "hacking" a mail server is a close-to-impossible thing. These days it's more a "keep out the fake mails" with some mail server config settings.
To name one : http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt -
@nambi said in Someone is trying to hack in my mail server what can I do?:
On my mail server I lock out an IP after 5 bad password attempts.
In our case at my organization we will see attempts from around the world that send upwards of 5 user/pass combos a second for upwards of two days. After a couple of weeks of this we also went with the 5 try block method on our server some years back. That by itself slowed these activities way down.
I assume as employee's leave their accounts are either forwarded and set with new passwords.. or deleted altogether. Maybe they have equipment that is still trying without their knowledge.. smartphone ect. Make sure your passwords are strong. Make sure your server is patched and up to date. Watch the logs carefully. Its not hard to see what kind of service the source address are coming from. Addresses primarily from cell carriers would say that people probably still have their accounts setup in their phones.
Dont lose to much sleep over these hacking attempts. If you have done your job they will move on to the next guy who has not.
-
Thanks for all the replies I was concerned about posting my mail server program because I didn't want to reveal too much info which would possibly make me more vulnerable to attack.
I use the netwinsite product, which has been running well for us.
Right now Traffic comes to my PFbox and is routed through the ports to my mail sever, I'm concerned my setup is vulnerable.
-
I take it the "3 emails a day" are being sent by your mail server software to alert you? If it is from random senders I would consider those phishing emails.
Any mail server with ports open to the Internet is going to see a lot of attack attempts. If you have a lockout after 5 incorrect passwords they will likely give up and move on.
Suricata or Snort can try to block those attempts, yes. They can be set up so if an alert is triggered the IP is blocked for the desired amount of time.
Generally for in-office mail servers, we set our clients up with our spam filtering service, and in pfSense only allow connections on port 25 from the filtering service IPs. So the world cannot just connect to the mail server.