On the number of attempts on brute-force login attacks
I would expect brute-force login attacks to be more common. And yes, at some point I got tired of ssh scans, and added rate-limiting firewall rules, even switched the daemon to a nonstandard port… But I have very seldom received an IMAP brute-force attack. I have received countless phishing scams on my users, and I know some of them have bitten because the scammers then use their passwords on my servers to send tons of spam. Activity is clearly atypical.
Anyway, yesterday we got a brute-force attack on IMAP. A very childish atack, attempted from an IP in the largest ISP in Mexico, but using only usernames that would not belong in our culture (mosty English firstnames and some usual service account names).
What I find interesting to see is that each login was attempted a limited (and different) amount of times: Four account names were attempted only once, eight were attempted twice, and so on — following this pattern:
1 • 2 •• 3 •• 4 ••••• 5 ••••••• 6 •••••• 7 ••••• 8 •••••••• 9 ••••••••• 10 •••••••• 11 •••••••• 12 •••••••••• 13 ••••••• 14 •••••••••• 15 ••••••••• 16 •••••••••••• 17 ••••••••••• 18 •••••••••••••• 19 ••••••••••••••• 20 •••••••••••• 21 •••••••••••• 22 ••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••
(each dot represents four attempts)
So… What’s significant in all this? Very little, if anything at all. But for such a naïve login attack, it’s interesting to see the number of attempted passwords per login varies so much. Yes, 273 (over ¼ of the total) did 22 requests, and another 200 were 18 and more. The rest… Fell quite shorter.
In case you want to play with the data, you can grab the list of attempts with the number of requests. I filtered out all other data, as i was basically meaningless. This file is the result of:
$ grep LOGIN /var/log/syslog.1 |
grep FAILED.*201.163.94.42|
awk '{print $7 " " $8}'|
sort|uniq -c
Attachments
logins.txt (28 KB)
Comments
Craig 2015-02-08 15:34:27
Password scanning
I wonder if they’re trying to get email or just accounts using the idea that if a user uses a password for their mail account then it is the same for other more interesting things.
My IMAP account (on both my own server and ISP) use different passwords for that reason, if they somehow guess it, its only that component that is lost.
I was a bit confused, before your chart you said “four account names were attempted only once, eight attempted twice” so I assume thats the 1 with the one dot and the 2 with the 2 dots (each dot being four accounts) but below it you say “each dot represents four attempts”, but isnt the number on the left the attempt count?
gwolf 2015-02-09 09:32:00
Password scanning
From my limited experience, they are trying to access our webmail application to use it for sending spammy mail.
As for my pseudochart: The number on the left is the amount of attempts, and the bar length is (¼ of) the number of accounts that were attempted this amount of times.
Marcus 2016-03-10 02:28:00
issue of the day
I own several sites on WordPress management system. For me, hacking and spamming has become a real problem. And all from what I didn’t thought about security. Now gather information. Thank you
Timothy Henry 2015-02-17 01:18:00
It’s a serious issue for the
It’s a serious issue for the security. actually being safe for our data and the privacy is a must while working in as web environment.