Posting this here in the hopes that it helps someone else.
I was having an enormous problem with my mail server on a psa 7.5 system. Everything was up to date, however my qmail processes would always basically bring the system to its knees.
I suspected that one of my users may have had their password stolen and thus outside spammers were hammering my server and causing the excess traffic.. the problem is that the default logging by plesk/qmail is piss poor.. there is no way to tell WHO is logging into your mail server.
Here's a quick run down of what I did. You'll need to have tcpdump installed on your server, and a copy of ethereal on a workstation somewhere.
step 1: capture a packet log of all traffic on port 25 with the following command as root (assuming your primary external ethernet interface is eth0):
tcpdump -i eth0 -w packets.raw -s 2000 port 25
this will create a file 'packets.raw' in the current working directory. let it run for about a minute then kill it with control-c.
next, sync the backup file over to your workstation via rsync over ssh or your preferred file transfer method. eg:
rsync -avz -e ssh user@your.server.com:/path/to/packets.raw .
will put the file in the current directory on your workstation. Then startup ethereal like so:
ethereal packets.raw
if you run ethereal as a non-root user it'll ask if you want to run the program unprivileged.. thats fine, just run it unprivileged.
next, sort the listing by protocol by clicking on the 'protocol' header. You'll probably see 'SMTP' appear in most of the listings at the top.
users who are logging in via SMTP will send a mail command along the lines of:
Command: AUTH CRAM-MD5
if you see any of those in ethereal, you'll likely see a line directly below that which will read something like
Message Body
just watch for the source IP address to make sure its coming from the same SMTP conversation. The content of that packet is going to be a base64 encoded string representing the login info. There is probably a way to do this natively in ethereal but I couldn't find it.. so I just found a base64 decoder on the web and fed it the string from the packet log. Once you do that, it'll output a username followed by a password hash.
And there you have it, theres the user name attempting to log into your server. If you see many occurances for the same user, especially from different IPs its time to block that user and contact them about their account...
FWIW, in my case, it actually turned out NOT to be an exploited account, but rather the sheer volume of 'bounce' messages my server was sending out for requests to invalid email addresses. By changing my default policy on unknown accounts to 'reject', everything started working ok again.
Hope that helps somebody out there.
identifying who is logging into your SMTP server on psa
-
breun
- Long Time Forum Regular
- Posts: 2813
- Joined: Sat Aug 20, 2005 9:30 am
- Location: The Netherlands
If checking which IP addresses are connecting to your SMTP is enough you could also just run something like this:
But I'm glad you sorted it out. Bouncing seems like a very bad idea these days, too much spam with fake from headers.
Code: Select all
grep smtp /var/log/secureLemonbit Internet Dedicated Server Management
No, that wasn't enough for me. I needed to know who (as in username/password combination) was logging in over SMTP. That was the only way for me to determine if a user's account had been exploited.breun wrote:If checking which IP addresses are connecting to your SMTP is enough you could also just run something like this:
Code: Select all
grep smtp /var/log/secure
seems that way, especially for a server with many domain names..But I'm glad you sorted it out. Bouncing seems like a very bad idea these days, too much spam with fake from headers.