Their is more and more reasons to use 3rd party network reputation at the authentication level. While our platforms have pretty sophisticated combination, that includes of course transparent 2FA, but a very granular set of rules for stopping BEC (Business Email Compromise), and dropping obvious attacks into the firewall (ipset) but not meaning to be blowing our own horn, just pointing out that while this problems is a multi-layer approach, there are SOME things everyone can do...
Use services like RATS-AUTH to block IPs that can safely be blocked as known hackers..
Use services like RATS-NULL (or SpamHaus DROP lists) right in the firewall level. There are SOME networks that should simply be 'unplugged'
Block authentication from certain cloud platforms
Very few mail servers have authentication from Azure, GoogleCloud, AWS, Digital Ocean and several others.. Your clients are using using their phones, offices, and home connections. You can always exempt blocking for the 'odd' client/customer IP that needs to relay from a cloud server.
- Turn off port 110 (well, all plain text authentication) 90% less email compromise reports when you do..
If you want more helpful tips, you can always ping me off list, and if I have time, can offer some advice. BEC compromise is still one of the biggest threats..
...
Nice to see Dovecot also following in our footsteps and looking at things like JA3 and other network level identifiers .. many windows botnets and routers botnets can be thwarted or at least identified without having to risk blocking shared IPs..
Fail2ban has been a great tool for many years for many people and purposes, but a lot more logic is needed now in that layer to safer block authentication attacks.
Hope this message helps members of the list. Some things should be made to help everyone, no matter what kind of email platform they use..
-- Michael, Happy Summer Solstice --eg.. IPs you can't block, but individual connections you can..
grep Marai mail.info | wc -l == 14485
On 2023-06-22 04:58, André Rodier via dovecot wrote:
Hello, all.
I just set-up a new server, running postfix, with submission(s) activated on standard ports (587, 465)
Shortly after it has been setup, I see brute force attacks (not surprising) from a whole /24 network (more surprising).
I carefully checked the logs, and see the modus operandi, which basically loop across the IP addresses in the network, to avoid being blacklisted by tools like fail2ban. And it is true, even with fail2ban activated, no IP is blacklisted.
By activating verbose logging, I see multiple user names are tried, not only passwords.
Is there any way, with postfix, to run a script on authentication failure, with information like the IP address and the username passed, for instance.
I basically need features that fail2ban doesn't offer
- I would like to not rely on reading logs, removing one step and acting more pro-actively.
- If a script is called on authentication failure, it is fairly easy to use a Levenshtein distance to differentiate between a user having lost his password and a brute force attack.
- If I log all the failure in a database, with the IP address, and the whois information, the script would take decision according to the whois information.
What are you using on your side ?
- Do you know any service, that I could use, to get the network to ban from an IP address reputation, something like crowdsec, for instance ?
- Anyone has success with Suricata, Snort, or a tool like this ?
Please, do not suggest third party hosted services, I want to be part of my self-hosting solution.
Kind regards, André
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
-- "Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.