identifying who is logging into your SMTP server on psa
Posted: Wed Sep 13, 2006 12:47 pm
Posting this here in the hopes that it helps someone else.
I was having an enormous problem with my mail server on a psa 7.5 system. Everything was up to date, however my qmail processes would always basically bring the system to its knees.
I suspected that one of my users may have had their password stolen and thus outside spammers were hammering my server and causing the excess traffic.. the problem is that the default logging by plesk/qmail is piss poor.. there is no way to tell WHO is logging into your mail server.
Here's a quick run down of what I did. You'll need to have tcpdump installed on your server, and a copy of ethereal on a workstation somewhere.
step 1: capture a packet log of all traffic on port 25 with the following command as root (assuming your primary external ethernet interface is eth0):
tcpdump -i eth0 -w packets.raw -s 2000 port 25
this will create a file 'packets.raw' in the current working directory. let it run for about a minute then kill it with control-c.
next, sync the backup file over to your workstation via rsync over ssh or your preferred file transfer method. eg:
rsync -avz -e ssh user@your.server.com:/path/to/packets.raw .
will put the file in the current directory on your workstation. Then startup ethereal like so:
ethereal packets.raw
if you run ethereal as a non-root user it'll ask if you want to run the program unprivileged.. thats fine, just run it unprivileged.
next, sort the listing by protocol by clicking on the 'protocol' header. You'll probably see 'SMTP' appear in most of the listings at the top.
users who are logging in via SMTP will send a mail command along the lines of:
Command: AUTH CRAM-MD5
if you see any of those in ethereal, you'll likely see a line directly below that which will read something like
Message Body
just watch for the source IP address to make sure its coming from the same SMTP conversation. The content of that packet is going to be a base64 encoded string representing the login info. There is probably a way to do this natively in ethereal but I couldn't find it.. so I just found a base64 decoder on the web and fed it the string from the packet log. Once you do that, it'll output a username followed by a password hash.
And there you have it, theres the user name attempting to log into your server. If you see many occurances for the same user, especially from different IPs its time to block that user and contact them about their account...
FWIW, in my case, it actually turned out NOT to be an exploited account, but rather the sheer volume of 'bounce' messages my server was sending out for requests to invalid email addresses. By changing my default policy on unknown accounts to 'reject', everything started working ok again.
Hope that helps somebody out there.
I was having an enormous problem with my mail server on a psa 7.5 system. Everything was up to date, however my qmail processes would always basically bring the system to its knees.
I suspected that one of my users may have had their password stolen and thus outside spammers were hammering my server and causing the excess traffic.. the problem is that the default logging by plesk/qmail is piss poor.. there is no way to tell WHO is logging into your mail server.
Here's a quick run down of what I did. You'll need to have tcpdump installed on your server, and a copy of ethereal on a workstation somewhere.
step 1: capture a packet log of all traffic on port 25 with the following command as root (assuming your primary external ethernet interface is eth0):
tcpdump -i eth0 -w packets.raw -s 2000 port 25
this will create a file 'packets.raw' in the current working directory. let it run for about a minute then kill it with control-c.
next, sync the backup file over to your workstation via rsync over ssh or your preferred file transfer method. eg:
rsync -avz -e ssh user@your.server.com:/path/to/packets.raw .
will put the file in the current directory on your workstation. Then startup ethereal like so:
ethereal packets.raw
if you run ethereal as a non-root user it'll ask if you want to run the program unprivileged.. thats fine, just run it unprivileged.
next, sort the listing by protocol by clicking on the 'protocol' header. You'll probably see 'SMTP' appear in most of the listings at the top.
users who are logging in via SMTP will send a mail command along the lines of:
Command: AUTH CRAM-MD5
if you see any of those in ethereal, you'll likely see a line directly below that which will read something like
Message Body
just watch for the source IP address to make sure its coming from the same SMTP conversation. The content of that packet is going to be a base64 encoded string representing the login info. There is probably a way to do this natively in ethereal but I couldn't find it.. so I just found a base64 decoder on the web and fed it the string from the packet log. Once you do that, it'll output a username followed by a password hash.
And there you have it, theres the user name attempting to log into your server. If you see many occurances for the same user, especially from different IPs its time to block that user and contact them about their account...
FWIW, in my case, it actually turned out NOT to be an exploited account, but rather the sheer volume of 'bounce' messages my server was sending out for requests to invalid email addresses. By changing my default policy on unknown accounts to 'reject', everything started working ok again.
Hope that helps somebody out there.