Operating System - OpenVMS
1829917 Members
2184 Online
109993 Solutions
New Discussion

Re: SMTP service locked out

 
Aaron Sakovich
Super Advisor

SMTP service locked out

OpenVMS Alpha 7.3-2, TCP/IP Services v5.4-4

The TCPIP$SMTP service account got locked out the other day due to invalid password attempts. Reviewing the audit logs indicated several consecutive attempts from our firewall to connect to the SMTP service. Checking the accounting logs indicated that the sessions were extraordinarily brief (very low CPU time and I/O, especially as compared to a "normal" rejected or successful mail transaction).

What could possibly cause a service account to receive a "bad password", when it's not even possible for the remote system to ask for or provide one?

My only speculation is that this may have been caused by a port scan of the system which was terminated prior to the completion of the process login. Why that would result in a INVPWD instead of an abnormal termination is beyond me at this time, however. Alternatively, could this be an attempt at a DoS attack? (The only reason it would even be close to successful is because we knowingly enforce LGI_BRK_DISUSER.)

Does anyone have any hard factual info or more informed speculation about this kind of a service failure?

TIA,
Aaron
9 REPLIES 9
Steven Schweda
Honored Contributor

Re: SMTP service locked out

Connecting to the SMTP service and attempting
to log in as TCPIP$SMTP are two different
things. Can you show one of the log entries?
Aaron Sakovich
Super Advisor

Re: SMTP service locked out

Understood, and yes, this is a service instantiation, not an interactive login attempt. (addresses changed for security purposes -- w.x.y.z corresponds to the internal i/f on the mail firewall) (My apologies for the munged display; formatted text is not preserved in this forum.)


Auditing LOGFAIL entry:

Security alarm (SECURITY) and security audit (SECURITY) on WOODY, system id: 1025
Auditable event: Network login failure
Event time: 29-JAN-2006 23:52:05.60
PID: 206AD01E
Process name: TCPIP$SM_BG1135
Username: TCPIP$SMTP
Remote node id: wxyz (a.b)
Remote node fullname: w.x.y.z
Remote username: TCPIP$SMTP
Status: %LOGIN-F-INVPWD, invalid password



Accounting record:

NETWORK Process Termination
---------------------------
Username: TCPIP$SMTP UIC: [TCPIP$AUX,TCPIP$SMTP]
Account: TCPIP Finish time: 29-JAN-2006 23:52:05.53
Process ID: 206AEC06 Start time: 29-JAN-2006 23:52:04.37
Owner ID: Elapsed time: 0 00:00:01.16
Terminal name: Processor time: 0 00:00:00.10
Remote node addr: Priority: 8
Remote node name: Privilege <31-00>: 00108000
Remote ID: TCPIP$SMTP Privilege <63-32>: 00000000
Remote full name: w.x.y.z
Posix UID: -2 Posix GID: -2 (%XFFFFFFFE)
Queue entry: Final status code: 100020EC
Queue name:
Job name:
Final status text: %SYSTEM-F-LINKDISCON, network partner disconnected logical li
Page faults: 594 Direct IO: 167
Page fault reads: 96 Buffered IO: 135
Peak working set: 6160 Volumes mounted: 0
Peak page file: 179648 Images executed: 5
Thomas Ritter
Respected Contributor

Re: SMTP service locked out

Aaron, would you verify that the username and password combination is valid on the server host ? A quick way to check is by performing a decent directory lookup
$ dir 0"tcpip$smtp password"::

Provide the output for

$ ucx show service smtp/full
$ mc authorize show TCPIP$SMTP
Aaron Sakovich
Super Advisor

Re: SMTP service locked out

You're presuming I know the system generated password for that account! :^)

As an alternative, the TCPIP$SMTP account does normally work for the SMTP service. This occurence is a once in 10 year event. Well, for the lockout -- there are 92 bad password attempts against that account since it was created many moons ago. I've only been responsible for the auditing of these accounts for the past couple weeks, the prior person having just dismissed these events, as near as I can tell. But it appears that this is the reason for all the bad password attempts, and not a misconfigured service as near as I can tell. The fact that I've got 970 spam messages in my wastebasket attests to the fact that the service is *mostly* working as it should...

Aaron
Thomas Ritter
Respected Contributor

Re: SMTP service locked out

A note on spaming. There is a config file called TCPIP$SMTP_COMMON:SMTP_CONFIG.TEMPLATE. This can be modified to prevent spaming.

Extract
!!!Reject-Mail-From: *.xyz.com, known.spammer@*, *the_internet*
!
!!!Accept-Mail-From: *@notabadguy.xyz.com, the_internet_news@somehwere.com
!
!!!SPAM-Action: OPCOM, ACCOUNTING
!
!!!Security: FRIENDLY


Aaron Sakovich
Super Advisor

Re: SMTP service locked out

FWIW, we already make extensive use of the smtp.config file for SPAM blocking. This problem has occured even while this capability was enabled. Due to the low CPU and I/O counts on the terminated process, plus the fact that it's an invalid password attempt that's flagged makes me confident that we're not even close to the anti-SPAM features being activated.

Aaron
Jim_McKinney
Honored Contributor

Re: SMTP service locked out

> Status: %LOGIN-F-INVPWD, invalid password

> Peak page file: 179648 Images executed: 5

I'm not familiar with the TCPIP$SMTP service... but, I do find it interesting that your process exits with an INVPWD status and that there were 5 images activated. I'd have expected only 3 image activations for a network process. Is it possible that the status is not the result of a failed login but some bogus value left in R0 when the 4th image exited? Does SYS$SYLOGIN execute any images?

Jim_McKinney
Honored Contributor

Re: SMTP service locked out

I previously wrote "some bogus value left in R0 when the 4th image exited? "

Since you got did get an alarm for the login failure speculation of a bad R0 value is not realistic. But what are the other 2 images? Is that normal for this SMTP service? Could one of those image activations have resulted in a second network login? With a logfail for the initial process I'd not have expected multiple imgacts.
Jim_McKinney
Honored Contributor

Re: SMTP service locked out

Note that the audit and accounting records posted are for different PIDs.