Before Several Hours I received a mail from the VPS provider. They told me, my server is under attack. Wow, as you seen, in this server, there is nothing worth. So I just checked some log (below) in the server. Interesting, this is a typical BrutoForce, someone is trying to use any user name to log the pop3 port of my server. Although, they cannot benifit from this, since I dont even have configurate any usernames, this kind of action made the provide unhappy, so they ve warned me and given me a deadline to repair the issue. Otherwise, they will lock my server and may reinstall it (delete all data). So I shall do something.
First, according to the log I noticed, the pop3, namely the smtp protocol is supported in the server, but I nerver use it. It must be some test configurations of me and some forgotten usage. So, first of all, I just disable the Mail service.
Mar 14 15:51:28 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 4 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<tyhiDg+EGMpV1jSL> Mar 14 15:51:37 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 7 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<+8+/Dg+EnstV1jSL> Mar 14 15:51:51 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 12 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<TyBJDw+Eis5V1jSL> Mar 14 15:52:12 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<3v4dEA+ECtNV1jSL> Mar 14 15:52:33 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<9uBcEQ+EBNpV1jSL> Mar 14 15:52:54 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<ER+eEg+EmuFV1jSL> Mar 14 15:53:14 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 18 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<PqjdEw+EyOdV1jSL> Mar 14 15:53:35 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<u6YOFQ+EPIBV1jSL> Mar 14 15:53:56 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<Y8FSFg+EioVV1jSL> Mar 14 15:54:17 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<7M+PFw+E7opV1jSL> Mar 14 15:54:38 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<fkDQGA+EQpFV1jSL> Mar 14 15:54:59 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<pZETGg+EhJdV1jSL> Mar 14 15:55:21 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 20 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<BMdVGw+E4JxV1jSL> Mar 14 15:55:42 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<1CSgHA+EnKVV1jSL> Mar 14 15:56:03 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<ZznjHQ+EfqxV1jSL> Mar 14 15:56:24 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<jlAkHw+E9rJV1jSL> Mar 14 15:56:45 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<D0RmIA+EMLlV1jSL> Mar 14 15:57:06 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<mFWmIQ+Epr5V1jSL> Mar 14 15:57:27 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<0SbiIg+EtMRV1jSL> Mar 14 15:57:48 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<postmaster@zaunwerk.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<xrslJA+EnMxV1jSL> Mar 14 15:57:49 www dovecot: pop3-login: access(tcpwrap): Client refused (rip=85.214.52.139) Mar 15 04:20:30 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 4 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<ZfgrhRmElpBV1jSL> Mar 15 04:20:40 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 8 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<8iqDhRmEApNV1jSL> Mar 15 04:20:54 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 12 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<pXUXhhmEZpVV1jSL> Mar 15 04:21:15 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<wp/thhmEkJlV1jSL> Mar 15 04:21:36 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<YQEviBmEvJ9V1jSL> Mar 15 04:21:57 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<Lv9riRmELKVV1jSL> Mar 15 04:22:17 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 18 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<0WKsihmEeqtV1jSL> Mar 15 04:22:38 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<DtveixmE2LBV1jSL> Mar 15 04:22:59 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<spgejRmENrZV1jSL> Mar 15 04:23:20 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<Qy5fjhmE7rxV1jSL> Mar 15 04:23:40 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 18 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<bpKgjxmEdsRV1jSL> Mar 15 04:24:01 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<5/HVkBmE7slV1jSL> Mar 15 04:24:22 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<tsURkhmEnNBV1jSL> Mar 15 04:24:43 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<3jRTkxmEbtZV1jSL> Mar 15 04:25:04 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<h/CXlBmETtxV1jSL> Mar 15 04:25:25 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<MU/YlRmENuNV1jSL> Mar 15 04:25:46 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<deoRlxmEmulV1jSL> Mar 15 04:26:07 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<7XZWmBmEJIJV1jSL> Mar 15 04:26:28 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<UMuXmRmEHIlV1jSL> Mar 15 04:26:49 www dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 19 secs): user=<test@car-selection.at>, method=PLAIN, rip=85.214.52.139, lip=192.168.96.11, session=<2r3YmhmEdJFV1jSL> Mar 15 04:26:50 www dovecot: pop3-login: access(tcpwrap): Client refused (rip=85.214.52.139)
Then, the used domain names are @zaunwerk.at , @car-selection.at they all share one IP 217.74.13.226, which is organiazed by https://www.rundrweb.com/. Maybe the attacker has got some infos from this provider, and try to gain more data. But it may be practical, just block the address
sudo iptables -A INPUT -s 217.74.13.226 -j DROP
And done.
One more thing. My server is actually alway under attack. The attackers are from different IP and ports, and trying to have root access. ….so…… I shall set my root as read only. But this is just a future work.
