Gossamer Forum
Home : General : Internet Technologies :

imap hacking?

Quote Reply
imap hacking?
Hi

I am getting the following on my server logs:
Quote:

Connections:
Service imap:
209.142.173.59: 2 Time(s)

What exactly does this mean? that someone is accessing my email?

Is there anyway of stopping this because I've several domains hosted on the same server; or is there a way of denying IPs from the server. Using CPanel & WHM.

Thanks in advance
Quote Reply
Re: [Alba] imap hacking? In reply to
By the look of it this attempt was from the US.
(nice and quick lookup system here : http://www.formyip.com/ipcountry.php)

I was reading the other day that IMAP, like POP has to be run as root on UNIX servers so is a prime target for hackers since if successful they can obtain superuser privileges.

I'm sure there is a way to have secure IMAP, I think it's like using SSH to tunnel the information through like with secure FTP using SSH ? In my sister's uni they are going to stop people from using POP, telent and IMAP and only allow secure POP, ssh and secure IMAP.

But as you say I think you can also set up restrictions in /etc/hosts.allow and /etc/hosts.deny and would be better than using iptables. You can set up trusted servers and deny access to specific lists of IPs.

A simple example from a uni book :

In /etc/hosts.deny add the line

imapd: ALL

In /etc/hosts.allow add the pcs or domains that you want to permit access to your IMAP server:

imapd: your.pc.com
imapd: .yourisp.com

Hope this helps and I'm stretched to give more than this simplified explanation here !

John
Significant Media
Quote Reply
Re: [Jag] imap hacking? In reply to
Thanks for confirming my suspicions.

I'm not totally sure how to do what you suggested. However, when looking to see how to follow your instructions, I found I could totally disabled both IMAP and POP3. I've done that and routed all emails through an independent ISP.

Thanks for your advice.
Quote Reply
Re: [Alba] imap hacking? In reply to
Having totally disabled IMAP and POP3 in CPanel/WHM, I find 2 incidences in the logs of people having logged on through secure IMAP.

Any thoughts?
Quote Reply
Re: [Alba] imap hacking? In reply to
Have you tried looking into only allowing your own IP address to log on, like explained above. I think if you google on some of the terms like "/etc/hosts.deny" you should be able to find some kind person that explains how to do it. I'm sorry I've never those services running locally myself.
What about buying a firewall router ?

Sorry can't help more.

John
Significant Media
Quote Reply
Re: [Jag] imap hacking? In reply to
Thanks, I'm currently looking at what you suggested.
Quote Reply
Re: [Alba] imap hacking? In reply to
Hi,

When you say logged in you mean they have attempted to log-in and been rejected since they didn't have valid usernames and passwords ?

Otherwise I came across this yesterday and luckily bookmarked it.

http://www.linuxgazette.com/issue35/jao.html

This doesn't seem to be online and is a google cached page :

http://66.249.93.104/...amp;client=firefox-a

John
Significant Media
Quote Reply
Re: [Jag] imap hacking? In reply to
Hi
Quote:

When you say logged in you mean they have attempted to log-in and been rejected since they didn't have valid usernames and passwords ?

No, they aren't being rejected: This morning's log is:

Quote:

--------------------- Connections (secure-log) Begin ------------------------

Connections:
Service imap:
210.171.199.2: 2 Time(s)

Thanks for the link, I'll take a look. Also waiting on feedback from my webhost but... waiting is usually the correct term with them.
Quote Reply
Re: [Alba] imap hacking? In reply to
It doesn't look like they are logging in, just attempting to. It's common to see login attempts with imap as well as pop3 and ftp. You only really need to take action if someone is persistently trying to login. Of course it is still wise to only give certain usernames and/or ips the authority to log in.

Last edited by:

Hargreaves: Oct 20, 2005, 9:31 AM
Quote Reply
Re: [Hargreaves] imap hacking? In reply to
Eventually solved this issue. Nothing I did would stop IMAP listing on a port so web host shut it off completely in an area not accessible via CPanel.

Thanks for the help.