Hello, all.
I just set-up a new server, running postfix, with submission(s) activated on standard ports (587, 465)
Shortly after it has been setup, I see brute force attacks (not surprising) from a whole /24 network (more surprising).
I carefully checked the logs, and see the modus operandi, which basically loop across the IP addresses in the network, to avoid being blacklisted by tools like fail2ban. And it is true, even with fail2ban activated, no IP is blacklisted.
By activating verbose logging, I see multiple user names are tried, not only passwords.
Is there any way, with postfix, to run a script on authentication failure, with information like the IP address and the username passed, for instance.
I basically need features that fail2ban doesn't offer
- I would like to not rely on reading logs, removing one step and acting more pro-actively.
- If a script is called on authentication failure, it is fairly easy to use a Levenshtein distance to differentiate between a user having lost his password and a brute force attack.
- If I log all the failure in a database, with the IP address, and the whois information, the script would take decision according to the whois information.
What are you using on your side ?
- Do you know any service, that I could use, to get the network to ban from an IP address reputation, something like crowdsec, for instance ?
- Anyone has success with Suricata, Snort, or a tool like this ?
Please, do not suggest third party hosted services, I want to be part of my self-hosting solution.
Kind regards, André