This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Getting attacks all the time..

Hi Forum,

found out that my Sophos Cluster is permanently attacked by some host. 

i got these entries in the user authentication daemon log:


2015:03:11-14:52:10 vpn-1 aua[3504]: id="3006" severity="info" sys="System" sub="auth" name="Child 21427 is running too long. Terminating child"
2015:03:11-14:52:10 vpn-1 aua[23955]: id="3006" severity="info" sys="System" sub="auth" name="Trying XX.XX.XX.XX (adirectory)"
2015:03:11-14:52:11 vpn-1 aua[23955]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="106.187.98.143" host="" user="linux" caller="smtp" reason="DENIED" 


i XX-out my internal IP Adress... 

Excactly all 8 mins i got these entry since weeks now (other userentry)...

password guessing is on but seems did not work well.. also i set the ip on blacklist in smtp-proxy.. 
but the entrys come...

what can i do to get these attacks dropped??

Update:

Get it fixed. Facility "SMTP-Proxy" activated in Block Password guessing module and now the ip is blocked for some time :-)


Too many failed logins from 106.187.98.143 for facility smtp.
Further logins will be blocked for 3600 seconds.
        
Sophos Cluster 


This thread was automatically locked due to age.
Parents
  • Hi Zaphod

     

    Thank you for your post

     

    I have this problem too. I have created a firewall rule to block the attacker IP address but, that did not work

     

    Could you please show me how you did it?

     

    Regards,

  • To block all access from a source IP, you need to use a DNAT rule.   Read the Wiki articles, which help to explain that all of the packet processing systems are mutually exclusive, and the firewall rules only activate when no other proxy is activated instead.   The articles also provide some direction on creating DNAT rules.   You might also want to find the article "How to: understand UTM port usage", which also has some notes and pointers about DNAT rules.

    But as Bob said, the best approach is to disable features you do not need.   To my mind, there is no reason to enable SMTP authenticated access on UTM.   This mode should only be enabled on a mail post office server.

Reply
  • To block all access from a source IP, you need to use a DNAT rule.   Read the Wiki articles, which help to explain that all of the packet processing systems are mutually exclusive, and the firewall rules only activate when no other proxy is activated instead.   The articles also provide some direction on creating DNAT rules.   You might also want to find the article "How to: understand UTM port usage", which also has some notes and pointers about DNAT rules.

    But as Bob said, the best approach is to disable features you do not need.   To my mind, there is no reason to enable SMTP authenticated access on UTM.   This mode should only be enabled on a mail post office server.

Children
  • Thank you guys for your replys 

     

    Basically, we have an exchange server. I asked the engineer who used to handle the network before me about the SMTP proxy. He told me that it is required to perform email filtering

     

    Is that really the purpose of it. If so, can I black list the attacker IP addresses from there?

     

    Thanks

  • As Doug said, you do not want to have the SMTP Proxy configured as was done before you arrived.  People should be authenticating directly against Exchange, not the SMTP Proxy - you should disable 'Authenticated Relay' on the 'Relaying' tab.  Start with Basic Exchange setup with SMTP Proxy.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • To let you know that there's an SNAT configuration enabled too for the exchange

     

    Now I have a questions:

    - If I would disable the SMTP proxy, I am gonna be able to keep using the Sophos email protection features? like the mail manager for an instance which gives me a good visibility on the emails passing the UTM.

     

    Thanks,

  • Sounds like you are confusing several issues.  You do not need to disable SMTP proxy.

    Standard email server configuration:

    • Inbound mail is accepted without authentication, from any source using SMTP on port 25
    • Outbound mail is accepted from mail client, with authentication (login) using SMTP and possibly MAPI, ActiveSynce, or EWS using port 25, 465, or 587
      For trusted devices that cannot authenticate, most systems have an option for allowing  outbound mail based on source IP address.

    Your UTM is not a mail server, so it should never accept authenticated SMTP.   Consequently, this option should be:

    Email Protection... SMTP...  Relaying (tab)...  Authenticated Relay (section)... Allow Authenticated Relay (Should be UNCHECKED)  

    SMTP Proxy configuration:  I recommend normal mode, not transparent, so these notes assume that choice.

    1) Your mail servers should be configured to send all outbound through UTM.   This is needed to use Outbound UTM protections including DLP, SPX, and antivirus scanning.

    On the mail server(s), this might be called several things, including a Smart Host relay, an Outbound Gateway,  or a static route.   

    On UTM, you need to tell UTM to accept outbound mail from those servers.   You create HOST or DNS HOST objects and add them into the "Host-Based Relay" list, which is also on the Relaying tab.

    2) Your mail servers should be configured to receive all inbound mail from UTM.   This is needed for Inbound UTM protections including SPF, RBLs, and Antivirus scanning.

    In DNS, the MX record for your domain(s) should point to a UTM internet address.

    In UTM, the SMTP Profile(s) define which mail domains you accept for incoming mail.

    Also in UTM, on the Routing section, you specify the appropriate HOST or DNS HOST object for the mail server(s) associated with each domain.   This is where UTM will forward incoming mail.

    3) You should configure a WAF site for remote access to your webmail interface. 

    If you have Exchange, the KB has detailed instructions.   If you have something else, it is probably easier.   I recommend allowing only webmail and ActiveSync, while blocking IMAP, POP, and Outlook Anywhere (if that is politically viable in your organization).   I do not recommend configuring Autodiscover.   Your staff should be able to follow manual setup instructions, and the bad guys should not be given an "Attack Me Here" announcement.

    4) If you must allow some other ports

    POP is outdated and I am not sure that it supports newer encryption protocols.   But if you must use it, you can probably use the POP proxy even for remote access to an internal server.   I have used the POP proxy for remote access to a hosted mail system.   

    Any remote use of IMAP or POP will require the mail server(s) to have their own internet address based on a NAT rule, plus firewall rules to allow the appropriate ports for IMAP+SMTP or POP+SMTP.

  • As I said above, start with Basic Exchange setup with SMTP Proxy.

    Do you have colleagues that work from outside the office?  If so, there are better solutions than activating 'Authenticated Relay' on the 'Relaying' tab.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA