<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5HLVVHN" height="0" width="0" style="display:none;visibility:hidden">

Preventing Brute Force Mail Attacks With New PAM Module Extension

Mar 12, 2020 2:07:41 PM / by Greg Zemskov

brute-force

In version 4.5, Imunify360 introduced a new way to prevent brute-force attacks against mail accounts: a PAM module extension that integrates with cPanel to block attacks that target the Exim and Dovecot bundle.

Let’s explore the problems that this new PAM module extension solves, examine how it works, and learn how to use it.

What Are Brute Force Mail Attacks?

They’re launched when someone uses automated password-guessing software to try and force a login to a mail account. 

If the attacker can login to the server with valid IMAP/SMTP credentials, they’ll then use it to read incoming emails or send email spam via the user’s email account. 

For example, an attack could be launched using the smtp-brute script, via Nmap: 

nmap -p 25 --script smtp-brute <host>Then the user credentials for accounts with weak passwords are displayed in the script output:

PORT    STATE SERVICE REASON
25/tcp  open stmp    syn-ack
| smtp-brute:
|   Accounts
|     washington:james - Valid credentials
|     smith:sally - Valid credentials
|     jones:william - Valid credentials
|   Statistics
|_    Performed 1160 guesses in 41 seconds, average tps: 33 

What Problems Do They Present?

When a mail server is compromised and used to send spam, that server can be blacklisted, and have its IP address listed in anti-spam databases. 

Also, brute force SMTP attacks waste server resources: bandwidth, CPU, memory and free disk space. For example, SMTP logs may grow to enormous file sizes. 

How Does This Extension Solve Them?

While Linux’s standard Pluggable Authentication Modules provide developers with useful libraries for authentication, we at Imunify360 felt we should extend them to protect the common Exim + Dovecot mechanism for authentication of SMTP requests. 

We did this by creating a PAM module extension that counts the number of unsuccessful login attempts, identifies the targets as single- or multiple-user accounts, then considers the source of attacks to block them.

How Do You Enable It In Imunify360?

To enable this PAM module extension, just check the Exim+Dovecot brute-force attack protection checkbox in the Imunify360 configuration interface: 

pasted image 0 (3)-1

 

 

 

 

 

 

You can also enable it via CLI with the following command:

imunify360-agent config update '{"PAM.exim_dovecot_protection": {"enabled": true}}'

How Can You See The Results?

To see attacks that have been blocked by the PAM module extension, click the Incidents tab, and look for events labeled [Imunify PAM]

pasted image 0 (4)-1

 

Then look for these codes in the event description:

IM360_IPUL

The account has been locked for the attacker’s IP.
When single IP is attacking a specific mail account.

IM360_UL

The account has been temporarily locked.
When multiple IPs are attacking a single mail account.

IM360_RBL

The IP has been locked by the real-time blacklist.
When IP is listed in Real-time blacklist.

IM360_IPL

The IP has been locked.
When IP is spotted in multiple brute-force attacks against several servers.

 

Share Your Feedback

If you have any thoughts, comments, or impressions you’d like to share about our PAM module extension that works with cPanel to protect Exim + Dovecot, please send them to us at feedback@cloudlinux.com.

If you encounter any issues with the PAM module extension, you can get help from the Imunify Support Team at cloudlinux.zendesk.com.

 

Topics: Imunify360, Advice

Greg Zemskov

Written by Greg Zemskov

Imunify Security, Product Manager