On 26 Jul 2017, at 7:57 pm, Olaf Hopp Olaf.Hopp@kit.edu wrote:
Dear collegues,
many thanks for your valuable input.
Since we are an university GEO-IP blocking is not an option for us. Somestimes I think it should ;-)
My "mistake" was that I had just *one* fail2ban filter for both cases: "wrong password" and "unknown user".
Now I have two distinct jails: The first one just for "wrong password" and here the findtime, bantime, retries are tolerant to typos.
And I have a new one just for "unknown user" and here my bantime and findtime are much bigger and the retries are just '2'. So here I'm much harsher. I'll keep an eye on my logs and maybe some more twaeking is necessary.
Another interesting observation: I activated auth_verbose_passwords = plain to log the plain password when (and only when) there is "unknown user". It reveals that all different IPs trying one unknown account always try with the same stupid password scheme <ACCOUNT>1234. So this doesn't look very well coordinated between the bots ;-)
Olaf, how do you do this only for the unknown user?
Can you share the Dovecot settings?
I’m under the same sort of slow distributed attack.
Also the two fail2ban jails would be helpful.
Thanks,
James.