Re: under another kind of attack

27 Jul 2017 · *one*


      On 07/27/2017 05:19 AM, James Brown wrote:
...
...
On 26 Jul 2017, at 7:57 pm, Olaf Hopp Olaf.Hopp@kit.edu wrote:
Dear collegues,
many thanks for your valuable input.
Since we are an university GEO-IP blocking is not an option for us.
Somestimes I think it should ;-)
My "mistake" was that I had just *one* fail2ban filter for both cases:
"wrong password" and "unknown user".
Now I have two distinct jails:
The first one just for "wrong password" and here the findtime, bantime, retries
are tolerant to typos.
And I have a new one just for "unknown user" and here my bantime and findtime
are much bigger and the retries are just '2'. So here I'm much harsher.
I'll keep an eye on my logs and maybe some more twaeking is necessary.
Another interesting observation:
I activated
auth_verbose_passwords = plain
to log the plain password when (and only when) there is "unknown user".
It reveals that all different IPs trying one unknown account always try with the
same stupid password scheme <ACCOUNT>1234. So this doesn't look very well
coordinated between the bots ;-)
Olaf, how do you do this only for the unknown user?
Can you share the Dovecot settings?
I’m under the same sort of slow distributed attack.
Also the two fail2ban jails would be helpful.
Nothing special in the dovecot config
/etc/fail2ban/jail.local
[dovecot]
enabled = true
filter  = dovecot
action  = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]
logpath = /var/log/dovecot
bantime = 600
findtime= 600
maxretry= 5
backend = auto
[dovecot_unknown]
ignoreip = X.X.X.0/24
enabled = true
filter  = dovecot_unknown
action  = iptables-multiport[name=dovecot_unknown, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]
logpath = /var/log/dovecot
bantime = 14400
findtime= 14400
maxretry= 2
backend = auto
/etc/fail2ban/filter.d/dovecot.local
[INCLUDES]
before = common.conf
[Definition]
failregex =  dovecot: auth-worker\(\d+\): pam\(.*,<HOST>,\<.*\>\): pam_authenticate\(\) failed: Authentication failure \(password mismatch\?\)
ignoreregex =
/etc/fail2ban/filter.d/dovecot_unknown.local
[INCLUDES]
before = common.conf
[Definition]
failregex =  dovecot: auth-worker\(\d+\): pam\(.*,<HOST>,\<.*\>\): unknown user.*
ignoreregex =
The failregex lines may need adaption to your log format.
"fail2ban-regex" is your friend.
On my Dovecot 2.2.31 unknows user log lines are
Jul 26 14:58:56 irams1 dovecot: auth-worker(2822): pam(inikul,112.54.93.34,<TcVzAjhVMINwNl0i>): unknown user (given password: inikul2017)
and "wrong password" lines look like this
Jul 26 15:01:41 irams1 dovecot: auth-worker(3530): pam(johndoe,120.209.164.118,): pam_authenticate() failed: Authentication failure (password mismatch?)
Regards, Olaf
Karlsruher Institut für Technologie (KIT)
ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik
Dipl.-Geophys. Olaf Hopp

Leitung IT-Dienste -

Am Fasanengarten 5, Gebäude 50.34, Raum 009
76131 Karlsruhe
Telefon: +49 721 608-43973
Fax: +49 721 608-46699
E-Mail: Olaf.Hopp@kit.edu
atis.informatik.kit.edu
www.kit.edu
KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft
Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.