Re: under another kind of attack

Olaf Hopp wrote on 25.07.2017 16:37:

Hi folks,

"somehow" similar to the thread "under some kind oof attack" started by "MJ":

I have dovecot shielded by fail2ban which works fine. But since a few days I see many many IPs per day knocking on my doors with wron password and/or users. But the rate at which they are knocking is very very low. So fail2ban will never catch them.

For example one IP:

Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): pam(eurodisc,101.231.247.210,): unknown user Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): pam(gergei,101.231.247.210,): pam_authenticate() failed: Authentication failure (password mismatch?) Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): pam(icpe,101.231.247.210,): unknown user Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,): unknown user

Note the timestamps. If I look the other way round (tries to one account) I'll get

Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): pam(endsulei,60.166.12.117,<slp6mhhViI48pgx1>): unknown user Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): pam(endsulei,222.243.211.200,): unknown user Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): pam(endsulei,222.84.118.83,<kaE1qCJVn7neVHZT>): unknown user Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,): unknown user Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): pam(endsulei,206.214.0.120,<R5H56CRVdJfO1gB4>): unknown user

Also note the timestamps!

And I see many many distinct IPs per day (a few hundred) trying many many existing and non-existings accounts. As you see in the timestamps in my examples, this can not be handled by fail2ban without affecting regular users with typos. Is anybody observing something similar ? Anybody an idea against this ? Many of these observed IPs are chinese mobile IPs, if this matters. But we have also chinese students and researchers all abroad.

Regards, Olaf

For those "unknown user" attacks on Dovecot we use a rule we named "dovecot-unknownusers.conf" with Fail2Ban:

<SNIP> failregex = ^%(__prefix_line)sauth-worker\(\d+\): (pam|sql)\(\S+,<HOST>\): unknown user\s*$ <SNIP>

"findtime" we set to 5400 (90 minutes) with "maxretry" set to 2.

Works pretty well to block those pesty slow pace attacks.