Intruders enter through available doors. The more doors you have the more cautious you need to be to ensure no one can steal the identities of your users. In technical terms, these doors are analogous to servers listening for clients to connect. A typical email server has at least 3 doors: SMTP, IMAP, and POP3. This blog discusses steps every administrator needs to take to ensure your server is not vulnerable to hackers looking to steal passwords.
The two most common ways to steal passwords are:
The most effective way of preventing a dictionary attack is to close unnecessary doors. In other words, disable features you don't need in your server. One such "door" is SMTP Authentication.
Authentication in an SMTP server is only required if in-house users send outbound messages through this SMTP server. In other words, it is not required when:
Therefore, disabling Smtp Authentication when no one is using it will simply close an available door that could have otherwise be exploited.
echo "EHLO host.example.com QUIT" | nc $1 $2Save the above script to a file called checkSmtp.sh and change its permissions to executable using the following command:
chmod +x checkSmtp.shThis script takes two parameters: host name and port. The following command shows an example of how to run the script:
./checkSmtp.sh mail.yourCompany.com 25Below is a screenshot showing the results of this command when ran against an SMTP server that accepts authentication.
Notice the line that says:
250-AUTH CRAM-MD5 DIGEST-MD5 NTLM
The existence of this line confirms authentication is enabled on the SMTP server.
Unfortunately, disabling authentication during IMAP/POP3 communication is not possible. Therefore, the only way to prevent a dictionary attack for IMAP/POP3 is to proactively detect invalid password attempts from repeated IP addresses and block them.
Performing a dictionary attack manually is not practical. Therefore, there is a very good chance a computer program on the other end is sending thousands of authentication requests within a short period of time. In such cases, configure your email server to block the IP address if more than a predefined number of attempts are made within a few minutes.
Besides IMAP and POP3, this technique is also very useful for SMTP server and you should definitely consider turning it on. Off course your SMTP server needs to support this feature in order for you to use it.
The most common method of stealing someoneís password is to have them go through a monitored network.
Consider the following scenario as an example:
Using encryption can mitigate the problem described above. Encryption ensures two things:
Often users are careless about using encryption. Since their end-goal is to get the device connected to the server, they often ignore the settings related to SSL/TLS and end up connecting to the server without encryption.
One way to ensure users are using encryption is to monitor their connectivity logs. Email Server, such as Xeams, can notify administrators of every user who is not using encryption when connecting to any listening server, including SMTP, IMAP, and POP3. Click here to watch a short video on this topic.
Hackers are always seeking to crack user id and passwords so they can be misused. By implementing proactive approaches at the server level, administrators can ensure their users are connecting in a sure manner. Additionally, by closing unnecessary doors on the server administrators can reduce their exposure to hackers. Therefore, it is important to use an email server, such as Xeams that facilitate administrators to stay proactive regarding their email infrastructure.
How do you ensure users connect to your email server using a secure mechanism mitigating the risk of getting their credentials stolen? Use the comments section below to answer.
|Created on:||Sep 2, 2020|
|Last updated on:||May 20, 2022|