<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5HLVVHN" height="0" width="0" style="display:none;visibility:hidden">
Mar 12, 2020 7:07:41 AM
Greg Zemskov
Greg Zemskov
Imunify Security, Product Owner

Preventing Brute Force Mail Attacks With New PAM Module Extension

brute-force

In version 4.5, Imunify360 introduced a new way to prevent brute-force attacks against mail accounts: a PAM module extension that integrates with cPanel to block attacks that target the Exim and Dovecot bundle.

Let’s explore the problems that this new PAM module extension solves, examine how it works, and learn how to use it.

What Are Brute Force Mail Attacks?

They’re launched when someone uses automated password-guessing software to try and force a login to a mail account. 

If the attacker can login to the server with valid IMAP/SMTP credentials, they’ll then use it to read incoming emails or send email spam via the user’s email account. 

For example, an attack could be launched using the smtp-brute script, via Nmap: 

screenshot 1 - Brute Force Mail - smtp-brute script

Then the user credentials for accounts with weak passwords are displayed in the script output:

screenshot 2 - Brute Force Mail - script output

What Problems Do They Present?

When a mail server is compromised and used to send spam, that server can be blacklisted, and have its IP address listed in anti-spam databases. 

Also, brute force SMTP attacks waste server resources: bandwidth, CPU, memory and free disk space. For example, SMTP logs may grow to enormous file sizes. 

How Does This Extension Solve Them?

While Linux’s standard Pluggable Authentication Modules provide developers with useful libraries for authentication, we at Imunify360 felt we should extend them to protect the common Exim + Dovecot mechanism for authentication of SMTP requests. 

We did this by creating a PAM module extension that counts the number of unsuccessful login attempts, identifies the targets as single- or multiple-user accounts, then considers the source of attacks to block them.

How Do You Enable It In Imunify360?

To enable this PAM module extension, just check the Exim+Dovecot brute-force attack protection checkbox in the Imunify360 configuration interface: 

pasted image 0 (3)-1

 

 

 

 

 

 

You can also enable it via CLI with the following command:

screenshot 3 - Imunify360 - enable imunify360 via CLI

How Can You See The Results?

To see attacks that have been blocked by the PAM module extension, click the Incidents tab, and look for events labeled [Imunify PAM]

pasted image 0 (4)-1

 

Then look for these codes in the event description:

IM360_IPUL

The account has been locked for the attacker’s IP.
When single IP is attacking a specific mail account.

IM360_UL

The account has been temporarily locked.
When multiple IPs are attacking a single mail account.

IM360_RBL

The IP has been locked by the real-time blacklist.
When IP is listed in Real-time blacklist.

IM360_IPL

The IP has been locked.
When IP is spotted in multiple brute-force attacks against several servers.

 

Share Your Feedback

If you have any thoughts, comments, or impressions you’d like to share about our PAM module extension that works with cPanel to protect Exim + Dovecot, please send them to us at feedback@cloudlinux.com.

If you encounter any issues with the PAM module extension, you can get help from the Imunify Support Team at cloudlinux.zendesk.com.

Imunify360 is a comprehensive security suite for Linux web-servers. Antivirus firewall, WAF, PHP, Security Layer, Patch Management, Domain Reputation with easy UI and advanced automation. Try free to make your websites and server secure now.
TRY IMUNIFY360 NOW

 

Preventing Brute Force Mail Attacks With New PAM Module Extension

Mar 12, 2020 7:07:41 AM
Greg Zemskov Greg Zemskov
brute-force

In version 4.5, Imunify360 introduced a new way to prevent brute-force attacks against mail accounts: a PAM module extension that integrates with cPanel to block attacks that target the Exim and Dovecot bundle.

Let’s explore the problems that this new PAM module extension solves, examine how it works, and learn how to use it.

What Are Brute Force Mail Attacks?

They’re launched when someone uses automated password-guessing software to try and force a login to a mail account. 

If the attacker can login to the server with valid IMAP/SMTP credentials, they’ll then use it to read incoming emails or send email spam via the user’s email account. 

For example, an attack could be launched using the smtp-brute script, via Nmap: 

screenshot 1 - Brute Force Mail - smtp-brute script

Then the user credentials for accounts with weak passwords are displayed in the script output:

screenshot 2 - Brute Force Mail - script output

What Problems Do They Present?

When a mail server is compromised and used to send spam, that server can be blacklisted, and have its IP address listed in anti-spam databases. 

Also, brute force SMTP attacks waste server resources: bandwidth, CPU, memory and free disk space. For example, SMTP logs may grow to enormous file sizes. 

How Does This Extension Solve Them?

While Linux’s standard Pluggable Authentication Modules provide developers with useful libraries for authentication, we at Imunify360 felt we should extend them to protect the common Exim + Dovecot mechanism for authentication of SMTP requests. 

We did this by creating a PAM module extension that counts the number of unsuccessful login attempts, identifies the targets as single- or multiple-user accounts, then considers the source of attacks to block them.

How Do You Enable It In Imunify360?

To enable this PAM module extension, just check the Exim+Dovecot brute-force attack protection checkbox in the Imunify360 configuration interface: 

pasted image 0 (3)-1

 

 

 

 

 

 

You can also enable it via CLI with the following command:

screenshot 3 - Imunify360 - enable imunify360 via CLI

How Can You See The Results?

To see attacks that have been blocked by the PAM module extension, click the Incidents tab, and look for events labeled [Imunify PAM]

pasted image 0 (4)-1

 

Then look for these codes in the event description:

IM360_IPUL

The account has been locked for the attacker’s IP.
When single IP is attacking a specific mail account.

IM360_UL

The account has been temporarily locked.
When multiple IPs are attacking a single mail account.

IM360_RBL

The IP has been locked by the real-time blacklist.
When IP is listed in Real-time blacklist.

IM360_IPL

The IP has been locked.
When IP is spotted in multiple brute-force attacks against several servers.

 

Share Your Feedback

If you have any thoughts, comments, or impressions you’d like to share about our PAM module extension that works with cPanel to protect Exim + Dovecot, please send them to us at feedback@cloudlinux.com.

If you encounter any issues with the PAM module extension, you can get help from the Imunify Support Team at cloudlinux.zendesk.com.

Imunify360 is a comprehensive security suite for Linux web-servers. Antivirus firewall, WAF, PHP, Security Layer, Patch Management, Domain Reputation with easy UI and advanced automation. Try free to make your websites and server secure now.
TRY IMUNIFY360 NOW

 
Subscribe to Imunify security Newsletter
aicpa soc
pci-dss
eu gdpr compliant
© All rights reserved. Imunify360 and CloudLinux Backup are the registered trademarks of CloudLinux Inc.