Highlighted
Absent Member.
Absent Member.
1910 views

GW2014 ESMTP Login Attempts

Hi!

We have a pretty annoying problem.
Someone from the outside tries to get into our groupwise system via "SMTP AUTH" (ESMTP-protocol). Sometimes up to 10 login attempts per sec.

General information:
SLES 11.2 Xen 4.1.2_14-0.5.5 Virtual Machine
Novell SLES 11.3
Novell OES 11.2
Novell Groupwise 2014 14.0.1-117118


We see that there is someone trying for hours getting in our system by looking in the GWIA log (/var/log/novell/groupwise/gwia.'DOM')
2EDF DMN: MSG 103554 Inbound AUTH failure (D019)


and if they try out a username which is in our system, we can see those attempts in the POA log as well (/var/log/novell/groupwise/'POA'.poa)
7C4E C/S Login Linux ::GW Id='UID' :: 'Server adress'


We first noticed this problem because there were so many login attempts and open ESMTP sessions which led to a server crash.

A delay after X attempts would be pretty neat, like there is for logins via GW Clients or in other mailsystems. If there would be a possibility to ban a user after
3 or 5 attempts for 30 minutes or so, that would help us a lot. But this user should only be banned from login via "SMTP AUTH", otherwise these outside login attempts would block our own users from using their groupwise-clients.
In other mailsystems there is an option to turn off "SMTP AUTH" in general.

We know that with third party products like GWAVA you can configure some delays after a various number of login attempts and you can even block these attempts completely, but there should be an option in groupwise, right?

For a while we were banning the IPs in our firewall manually, but there are over 500 banned IPs right now and we are getting tired of it.

Is this a bug in Novell Groupwise, did we forget about something or is such an option not available in Groupwise 2014?


Greetings from Austria
Labels (1)
0 Likes
5 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: GW2014 ESMTP Login Attempts

Hi,

I'm not sure if this is of help, or even relevant to your situation, but perhaps you want to take a look at the --disallowauthrelay switch on your GWIA.

Documentation here: http://www.novell.com/documentation/groupwise2014/gw2014_guide_admin/data/adm_gwia_switches_smtp_mime.html#blrvghk

This switch isn't going to stop the brute force attack, but my understanding is that even if you get an account compromised the spammer still can't relay off your system.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: GW2014 ESMTP Login Attempts

Hey Laura!

Thanks for your response.

We already took a look at this option and it helped with that problem, but as you already said, the brute force attacks still happen.


Regards,
Daniel
0 Likes
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: GW2014 ESMTP Login Attempts

The only real way to mitigate this is to contract an external company to content (spam) and antivirus filter your email and then provide you with the clean feed. You can then restrict SMTP inbound to that company's IP address ranges and let them deal with it.

M
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: GW2014 ESMTP Login Attempts

Hi Daniel

As Mark says.... the only real way of getting around brute force attacks directly on your GWIA is to have something or somebody sitting between the internet and your GroupWise system. You could outsource that to a provider or setup a simple Linux based postfix or exim server to act as your internet facing smtp system - preferably in your DMZ. That way your GroupWise system is protected and won't fall over. I'm not sure what else to suggest.

Let us know what you decide to do.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: GW2014 ESMTP Login Attempts

Hi!

Just a little heads up.

We found some helpful configurations on our firewall, but I'm not 100% sure if it works permanently because it doesn't write into the logs.
If it doesn't help, we will add GWAVA to our system.


Cheers,
Daniel
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.