There’s a password that I know and love, but I can’t use because it was stolen in the breach of some site long, long ago, and so it’s part of many dictionaries used for brute forcing passwords.
I run a bunch of cloud servers for various personal purposes and have things respectably locked down. Ansible scripts perform initial hardening of new operating systems and keep those systems up-to-date with minimal (or no) intervention. Root logins are disabled. Logins require a yubikey and a password.
I recently set up a new server I rent through Hetzner. It’s a beast for the price, by the way. I installed the Webmin/Virtualmin combo, which makes managing multiple domains on the same system quite simple.
Yesterday, I started getting a flurry of delivery rejections and out of office notifications to one of my email addresses. One of the rejections included a full, raw copy of the email that caused the rejection – sure enough, someone was sending spam through my shiny new server.
It took me a minute to realize what was happening. Virtualmin uses the Postfix mail server, and Postfix is configured to use SASL for authenticating users.
Some enterprising and dedicated person had been brute force attempting SMTP auth sessions since about the time the server came online and hit on the combination of my local username and the previously mentioned bad password. SASL doesn’t require yubikey auth, and I didn’t recognize that Virtualmin would authenticate local unix accounts and not just email accounts created through Virtualmin. In hindsight, it’s obvious why it worked, because even the Virtualmin email IDs are added as unix users using the email@example.com format.
This really highlights the nuances that make securing environments challenging – there are many, many moving parts and nuances that can lead to problems.