Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

exchange smtp receive attack about #3033

Open
torefloo opened this issue May 26, 2024 · 3 comments
Open

exchange smtp receive attack about #3033

torefloo opened this issue May 26, 2024 · 3 comments
Labels
kind/bug Something isn't working needs/triage question Further information is requested

Comments

@torefloo
Copy link

torefloo commented May 26, 2024
edited

What happened?

Hello, we are using exchange 2019 cu14 but
It does not prevent crowdsec exchange smtp receive attacks, especially after cu14 has passed.

Has there been a change regarding this? We have installed crowdsec v1.6.1 now, but the situation is the same.

Error logs are as follows and account accounts are locked due to these attacks.

event id: 1035
Inbound authentication failed with error LogonDenied for Receive connector Client Frontend.

Can I ask for your support and information?

What did you expect to happen?

It previously blocked these attacks completely. Can it be fixed again?

How can we reproduce it (as minimally and precisely as possible)?

I wonder if Exchange updates the Windows version, or is there a problem with them?

Anything else we need to know?

No response

Crowdsec version

v1.6.1

OS version

windows server 2019

Enabled collections and parsers

$ cscli hub list -o raw
# paste output here

Acquisition config

```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* # paste output here

On Windows:

C:> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml
PS C:\Windows\system32> get-content c:\programdata\crowdsec\config\acquis.yaml
##RDP
source: wineventlog
event_channel: Security
event_ids:

  • 4625
  • 4623
    event_level: information
    labels:
    type: eventlog

##Firewall
filenames:

  • C:\Windows\System32\LogFiles\Firewall*.log
    labels:
    type: windows-firewall

##SQL Server
source: wineventlog
event_channel: Application
event_ids:

  • 18456
    event_level: information
    labels:
    type: eventlog

##IIS
use_time_machine: true
filenames:

  • C:\inetpub\logs\LogFiles**.log
    labels:
    type: iis

PS C:\Windows\system32>

Config show

$ cscli config show
PS C:\Windows\system32> cscli config show
Global:
   - Configuration Folder   : C:\ProgramData\CrowdSec\config
   - Configuration Folder   : C:\ProgramData\CrowdSec\config
   - Data Folder            : C:\ProgramData\CrowdSec\data
   - Hub Folder             : C:\ProgramData\CrowdSec\hub
   - Simulation File        : C:\ProgramData\CrowdSec\config\simulation.yaml
   - Log Folder             : C:\ProgramData\CrowdSec\log\
   - Log level              : info
   - Log Media              : file
Crowdsec:
  - Acquisition File        : C:\ProgramData\CrowdSec\config\acquis.yaml
  - Parsers routines        : 1
cscli:
  - Output                  : human
  - Hub Branch              :
  - Hub Folder              : C:\ProgramData\CrowdSec\hub
API Client:
  - URL                     : http://127.0.0.1:8080/
  - Credentials File        : C:\ProgramData\CrowdSec\config\local_api_credentials.yaml
Local API Server:
  - Listen URL              : 127.0.0.1:8080
  - Profile File            : C:\ProgramData\Crowdsec\config\profiles.yaml

  - Trusted IPs:
  - Database:
      - Type                : sqlite
      - Path                : C:\ProgramData\CrowdSec\data\crowdsec.db
      - Flush age           : 7d
      - Flush size          : 5000```

</details>


### Prometheus metrics

<details>

```console
$ cscli metrics
# paste output here

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.
@torefloo torefloo added the kind/bug Something isn't working label May 26, 2024
@github-actions GitHub Actions
Copy link

@torefloo: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

@LaurenceJJones
Copy link
Contributor

Hi 👋

For us to be able to replicate or investigate this issue, could you please fill in the additional details such as parsers and acquisition.

If it is the default that detects failed logins via error code https://github.com/crowdsecurity/crowdsec/blob/master/config%2Facquis_win.yaml#L2-L9

If new smtp doesn't log in the same way, then we can help you detect them

@LaurenceJJones LaurenceJJones added the question Further information is requested label May 28, 2024
@RichardHeilmann
Copy link

Hello
I'm also having issues with the Exchange SMTP log parsing / the block descisions.
I've posted logs and other details on the CrowdSec Discord: https://discord.com/channels/921520481163673640/1003034718771609701/threads/1247585828553883658

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working needs/triage question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@RichardHeilmann @LaurenceJJones @torefloo