Am 18.07.2017 um 21:44 schrieb mj:
Hi all,
It seems we are under some kind of password guessing attack:
Jul 18 21:33:33 auth: Info: ldap(username1,103.6.223.61,<W7wLl5xUfABnBt89>): invalid credentials (given password: 1q2w3e4r5t) Jul 18 21:34:16 auth: Info: ldap(username1,221.4.61.180,<89WnmZxUrADdBD20>): invalid credentials (given password: 1q2w3e4r5t) Jul 18 21:36:13 auth: Info: ldap(username2,117.243.180.225,<ESWBoJxUdQB187Th>): invalid credentials (given password: 1q2w3e4r) Jul 18 21:36:50 auth: Info: ldap(username2,58.59.103.230,<j7fQopxUNgA6O2fm>): invalid credentials (given password: 1q2w3e4r) Jul 18 21:36:56 auth: Info: ldap(username4,58.215.13.154,<gtY5o5xUlQA61w2a>): invalid credentials (given password: 1q2w3e4r5t) Jul 18 21:37:18 auth: Info: ldap(username3,220.175.154.205,<lFxppJxUFADcr5rN>): invalid credentials (given password: 1q2w3e4r) Jul 18 21:37:25 auth: Info: ldap(username5,14.142.29.142,<40zopJxUSgAOjh2O>): invalid credentials (given password: 1q2w3e4r) Jul 18 21:37:27 auth: Info: ldap(username4,119.1.98.121,<JDQOpZxUCwB3AWJ5>): invalid credentials (given password: 1q2w3e4r5t) Jul 18 21:37:54 auth: Info: ldap(username3,218.76.156.11,<OMqtppxUMADaTJwL>): invalid credentials (given password: 1q2w3e4r)
Different IPs, different usernames, but all (almost) the same password.
Any idea what we can do about this??
Any advice you could give us would be very much appreciated.
MJ
perhaps this
https://wiki.dovecot.org/HowTo/Fail2Ban
or you may adapt this
https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-yl...
https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/
to pop3(s)/imap(s) and your needs
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein