crowdsec icon indicating copy to clipboard operation
crowdsec copied to clipboard
verified publisher icon crowdsecurity

exchange smtp receive attack about

Open torefloo opened this issue 1 year ago • 3 comments

What happened?

Hello, we are using exchange 2019 cu14 but It does not prevent crowdsec exchange smtp receive attacks, especially after cu14 has passed.

Has there been a change regarding this? We have installed crowdsec v1.6.1 now, but the situation is the same.

Error logs are as follows and account accounts are locked due to these attacks.

event id: 1035 Inbound authentication failed with error LogonDenied for Receive connector Client Frontend.

Can I ask for your support and information?

What did you expect to happen?

It previously blocked these attacks completely. Can it be fixed again?

How can we reproduce it (as minimally and precisely as possible)?

I wonder if Exchange updates the Windows version, or is there a problem with them?

Anything else we need to know?

No response

Crowdsec version

v1.6.1

OS version

windows server 2019

Enabled collections and parsers

$ cscli hub list -o raw
# paste output here

Acquisition config

```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* # paste output here

On Windows:

C:> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml PS C:\Windows\system32> get-content c:\programdata\crowdsec\config\acquis.yaml ##RDP source: wineventlog event_channel: Security event_ids:

  • 4625
  • 4623 event_level: information labels: type: eventlog

##Firewall filenames:

  • C:\Windows\System32\LogFiles\Firewall*.log labels: type: windows-firewall

##SQL Server source: wineventlog event_channel: Application event_ids:

  • 18456 event_level: information labels: type: eventlog

##IIS use_time_machine: true filenames:

  • C:\inetpub\logs\LogFiles**.log labels: type: iis

PS C:\Windows\system32>

Config show

$ cscli config show
PS C:\Windows\system32> cscli config show
Global:
   - Configuration Folder   : C:\ProgramData\CrowdSec\config
   - Configuration Folder   : C:\ProgramData\CrowdSec\config
   - Data Folder            : C:\ProgramData\CrowdSec\data
   - Hub Folder             : C:\ProgramData\CrowdSec\hub
   - Simulation File        : C:\ProgramData\CrowdSec\config\simulation.yaml
   - Log Folder             : C:\ProgramData\CrowdSec\log\
   - Log level              : info
   - Log Media              : file
Crowdsec:
  - Acquisition File        : C:\ProgramData\CrowdSec\config\acquis.yaml
  - Parsers routines        : 1
cscli:
  - Output                  : human
  - Hub Branch              :
  - Hub Folder              : C:\ProgramData\CrowdSec\hub
API Client:
  - URL                     : http://127.0.0.1:8080/
  - Credentials File        : C:\ProgramData\CrowdSec\config\local_api_credentials.yaml
Local API Server:
  - Listen URL              : 127.0.0.1:8080
  - Profile File            : C:\ProgramData\Crowdsec\config\profiles.yaml

  - Trusted IPs:
  - Database:
      - Type                : sqlite
      - Path                : C:\ProgramData\CrowdSec\data\crowdsec.db
      - Flush age           : 7d
      - Flush size          : 5000```

</details>


### Prometheus metrics

<details>

```console
$ cscli metrics
# paste output here

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

torefloo avatar May 26 '24 06:05 torefloo

@torefloo: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

github-actions[bot] avatar May 26 '24 06:05 github-actions[bot]

Hi 👋

For us to be able to replicate or investigate this issue, could you please fill in the additional details such as parsers and acquisition.

If it is the default that detects failed logins via error code https://github.com/crowdsecurity/crowdsec/blob/master/config%2Facquis_win.yaml#L2-L9

If new smtp doesn't log in the same way, then we can help you detect them

LaurenceJJones avatar May 26 '24 09:05 LaurenceJJones

Hello I'm also having issues with the Exchange SMTP log parsing / the block descisions. I've posted logs and other details on the CrowdSec Discord: https://discord.com/channels/921520481163673640/1003034718771609701/threads/1247585828553883658

RichardHeilmann avatar Jun 10 '24 07:06 RichardHeilmann

Closing due to stale issue, please reopen with more information once you have the time to fill out the rest of the issue template.

LaurenceJJones avatar Oct 02 '24 11:10 LaurenceJJones