Re: under some kind of attack

I have concoted something that seems to work. And for the archives, this is it:

failregex = auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials \(given password: .+ssword\) auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials \(given password: 1qaz2wsx\) auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials \(given password: 123321\) auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials \(given password: 1234567890\) auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials \(given password: 1q2w3e4r.+\)

It's still reactive, and not pro-active.

All the other suggestions are very much appreciated, including weakforced, however implementing that is a much larger project.

Next I have to find out how to feed my fail2ban logs back to blocklist.de, to improve their mail.txt hit rate.

Thanks again for all kind assistance.

MJ

On 07/20/2017 11:16 AM, mj wrote:

Hi all,

If I may, one more question on this subject:

I would like to create a fail2ban filer, that scans for these lines:

...

Jul 20 11:10:09 auth: Info: ldap(user1,60.166.35.162,<cDFXHbxUQgA8piOi>): invalid credentials (given password: password) Jul 20 11:10:19 auth: Info: ldap(user2,61.53.66.4,): invalid credentials (given password: password)

(as you can see, I have enabled auth_verbose_passwords to do this, making me very uncomfortable...)

Anyway: since there are only a few password variations, I would like to block anyone using those passwords.

(since the connections are over TLS/SSL, I cannot use iptables, as suggested earlier)

So I need a specific fail2ban rule that extracts the <IP> from that line, and matches on "(given password: password)"

Can anyone here help out with a failregex line that would match..?