spf-flow-small

Meningkatkan keamanan email dengan SPF record

Saat ini, e-mail menjadi salah satu kebutuhan bagi semua yang yang berinteraksi dengan internet, terlebih lagi mereka yang bekerja atau mempunyai usaha. E-mail menjadi bagian yang sangat penting seperti nomor telepon karena digunakan dalam kegiatan sehari-hari untuk saling berkirim pesan. Satu hal yang harus disadari oleh pengguna e-mail yang  mempunyai domain sendiri seperti celah keamanan bahwa sipapun dapat mengirim email dengan domain yang kita kelola, misalnya saya mempunyai domain pnyet.web.id dan Anda dapat mengirim email ke siapapun dengan alamat [email protected] bayangkan jika Anda menerima invoice atau permintaan ubah password dari alamat email rekanan yang ternyata palsu?  read more…


WordPress 3.5.2 security update was released!

Today I got notice from this blog about wordpress security update. ” This is a security release for all previous versions and we strongly encourage you to update your sites immediately. The WordPress security team resolved seven security issues, and this release also contains some additional security hardening.” – wordpress.com Continue reading “WordPress 3.5.2 security update was released!” »


hacker

Getting brute force attacks in email server

Pagi yang indah tampaknya ternodai oleh kejadian yang agaknya mengganggu kinerja email server. Pagi tenang saya terusik lantaran ada user yang berteriak “Pak…, kenapa email server lambat sekali”, setelah saya pastikan untuk login ke server terasa sangat lambat. Setelah check koneksi dan resource system yang masih wajar saya kemudian melihat file audit.log dimana file audit.log ini merupakan file yang mencatat aktivitas login oleh user. Dan terang saja server menjadi lambat karena ada request login yang cukup banyak, hasil dari audit.log:

2010-05-24 09:26:28,374 WARN  [Pop3Server-1187] [ip=71.249.235.39;] security – cmd=Auth; [email protected]; protocol=pop3; error=authentication failed for admin, invalid password;
2010-05-24 09:26:36,595 WARN  [Pop3Server-1196] [ip=71.249.235.39;] security – cmd=Auth; [email protected]; protocol=pop3; error=authentication failed for postmaster, invalid password;
2010-05-24 09:26:38,997 WARN  [Pop3Server-1198] [ip=71.249.235.39;] security – cmd=Auth; [email protected]; protocol=pop3; error=authentication failed for postmaster, invalid password;
2010-05-24 09:26:42,487 WARN  [Pop3Server-1201] [ip=71.249.235.39;] security – cmd=Auth; [email protected]; protocol=pop3; error=authentication failed for postmaster, invalid password;
2010-05-24 09:27:33,481 INFO  [Pop3Server-1253] [ip=71.249.235.39;] security – cmd=Auth; [email protected]; error=account lockout due to too many failed logins;
2010-05-24 09:27:33,525 WARN  [Pop3Server-1253] [ip=71.249.235.39;] security – cmd=Auth; [email protected]; protocol=pop3; error=authentication failed for admin, invalid password;
2010-05-24 09:27:34,712 WARN  [Pop3Server-1254] [ip=71.249.235.39;] security – cmd=Auth; [email protected]; protocol=pop3; error=authentication failed for postmaster, account lockout;
2010-05-24 09:28:18,536 WARN  [Pop3Server-1296] [ip=71.249.235.39;] security – cmd=Auth; [email protected]; protocol=pop3; error=authentication failed for admin, account lockout;
2010-05-24 09:28:27,794 WARN  [Pop3Server-1305] [ip=71.249.235.39;] security – cmd=Auth; [email protected]; protocol=pop3; error=authentication failed for postmaster, account lockout;
2010-05-24 09:29:00,790 WARN  [Pop3Server-1338] [ip=71.249.235.39;] security – cmd=Auth; [email protected]; protocol=pop3; error=authentication failed for admin, account lockout;
2010-05-24 09:29:12,795 WARN  [Pop3Server-1349] [ip=71.249.235.39;] security – cmd=Auth; [email protected]; protocol=pop3; error=authentication failed for admin, account lockout;
2010-05-24 09:30:55,621 WARN  [Pop3Server-1451] [ip=71.249.235.39;] security – cmd=Auth; [email protected]; protocol=pop3; error=authentication failed for admin, account lockout;
2010-05-24 09:31:51,629 WARN  [Pop3Server-1502] [ip=71.249.235.39;] security – cmd=Auth; [email protected]; protocol=pop3; error=authentication failed for postmaster, account lockout;
2010-05-24 09:32:23,616 WARN  [Pop3Server-1532] [ip=71.249.235.39;] security – cmd=Auth; [email protected]; protocol=pop3; error=authentication failed for postmaster, account lockout;
2010-05-24 09:32:48,561 INFO  [Pop3Server-1556] [ip=71.249.235.39;] security – cmd=Auth; [email protected]; error=account lockout due to too many failed logins;
2010-05-24 09:32:48,615 WARN  [Pop3Server-1556] [ip=71.249.235.39;] security – cmd=Auth; [email protected]; protocol=pop3; error=authentication failed for admin, invalid password;

Sebenarnya saya telah membatasi maksimum login fail dan ketika melebihi batas username akan di block untuk sementara, namun nampaknya meski di blok si attacker terus menjalankan aksinya (dasar bot). Masalah ini sudah saya posting di milis CentOS.org dan beberapa member ada yang menggunakan failban, sshdfilter, ataupun iptables. Yang palign sederhana dari ketiga cara diatas ada filter menggunakan iptables. Kurang lebihnya seperti ini:

iptables -A INPUT -p tcp –dport 110 -m state –state NEW -m recent –set –name POP
iptables -A INPUT -p tcp –dport 110 -m state –state NEW -m recent –update –seconds 60 –hitcount 3 –rttl –name POP -j LOG –log-prefix ‘POP3 attack: ‘
iptables -A INPUT -p tcp –dport 110 -m state –state NEW -m recent –update –seconds 60 –hitcount 3 –rttl –name POP -j DROP

Hingga saat ini, saya masih menggunakan iptables sebagai aplikasi filtering baik firewall untuk intranet maupun internet, dan saya pikir iptables cukup reliabel. how to securing email server? how to preventing email server from brute force? Hal yang paling tepat adalah rajin melihat log :)

Referensi:
Milis CentOS.org