Non-user logins?

John Fawcett john at voipsupport.it
Sat Jan 8 13:57:48 UTC 2022 

On 08/01/2022 14:26, dc-ml at dvl.werbittewas.de wrote:
>
> Am 08.01.22 um 05:27 schrieb Dave McGuire:
>
>> trying to mess with other peoples' stuff.  I run fail2ban to catch those
>> log entries and block the source IP address for a month on the first
>> failed login.  At any one time I have between 12,000 and 15,000
> well, I don't know how _your_ users are connected to the internet, but
> in germany most people has at least daily changing IPs out of larger
> pools (when connected via xDSL) or even sometimes shares ip-addresses
> with others (when connected via tv-cable or mobile - having a private
> network-address, which is natted), so it's possible to get/use an IP,
> which was used before by some script-kiddies...
>
> so everyone, who's blocking such requests for more than some
> minutes/hours should be aware of maybe blocking legitimate user-logins...
>
> btw.: setting up a new mail-client and making any mistake by reading it
> from old install or writing it into new install also leads to a
> months-blocking with above restrictive handling...
> (any may drive this user mad)
>
> so anyone, who has no experience with blocking should be really careful
> with it.
>
> d.

yes, blocking on the first wrong password sounds like overkill. But it 
does depend on user base. For a small mail server with few known users 
it could be workable.

But even on small servers I'd recommend blocking for a small time (like 
up to an hour) after a small number of failures (example 3). Then if 
this pattern repeats (for example 3 times) within a longer period (for 
example up to a day), blocking for a longer period (example 1 week) 
using the recidive jail.

Mileage will vary depending on user base and number of support requests 
generated.

The point about fail2ban is that it slows down attackers stopping 
infinite and fast repeating attacks from the same ip. That should be in 
combination with a good password policy which reduces the probability of 
any single attack guessing the password. It doesn't necessarily have to 
zero out attacks. As Dave has experimented, to bypass fail2ban all the 
attacker has to do is use a different ip. 10-15K blocks in place at any 
time seem very high compared to the few attacks I see.

I'd hazard a guess that the restrictive fail2ban policy is causing the 
attacker(s) to try immediately from a new ip and isn't generating a 
great deal more security than a slightly less restrictive policy which 
lures the attacker into trying a few times more from the same ip with 
longer intervals between the attempts.

John

More information about the dovecot mailing list