Am 18.07.2017 um 22:15 schrieb mj:
Hi,
Thanks for the quick follow-ups! Much appreciated. After posting this, I immediately started working on fail2ban. And between my initial posting and now, fail2ban already blocked 114 IPs.
I have fail2ban with maxretry=1 and bantime=1800
However, it seems almost all IPs are different, and I don't think I can keep the above settings permanently.
Robert, your iptables suggestions are _very_ interesting! However, will they also work on imaps/993, because of the ssl?
i guess not, but typical bots arent using ssl, check it
however fail2ban sometimes is to slow but as an alternative you may create a filter out of syslog to directly feed in iptables recent, here is an example with smtp
https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-m...
Thanks for the quick replies!
MJ
On 07/18/2017 09:52 PM, Robert Schetterer wrote:
Am 18.07.2017 um 21:44 schrieb mj:
Hi all,
It seems we are under some kind of password guessing attack:
Jul 18 21:33:33 auth: Info: ldap(username1,103.6.223.61,<W7wLl5xUfABnBt89>): invalid credentials (given password: 1q2w3e4r5t) Jul 18 21:34:16 auth: Info: ldap(username1,221.4.61.180,<89WnmZxUrADdBD20>): invalid credentials (given password: 1q2w3e4r5t) Jul 18 21:36:13 auth: Info: ldap(username2,117.243.180.225,<ESWBoJxUdQB187Th>): invalid credentials (given password: 1q2w3e4r) Jul 18 21:36:50 auth: Info: ldap(username2,58.59.103.230,<j7fQopxUNgA6O2fm>): invalid credentials (given password: 1q2w3e4r) Jul 18 21:36:56 auth: Info: ldap(username4,58.215.13.154,<gtY5o5xUlQA61w2a>): invalid credentials (given password: 1q2w3e4r5t) Jul 18 21:37:18 auth: Info: ldap(username3,220.175.154.205,<lFxppJxUFADcr5rN>): invalid credentials (given password: 1q2w3e4r) Jul 18 21:37:25 auth: Info: ldap(username5,14.142.29.142,<40zopJxUSgAOjh2O>): invalid credentials (given password: 1q2w3e4r) Jul 18 21:37:27 auth: Info: ldap(username4,119.1.98.121,<JDQOpZxUCwB3AWJ5>): invalid credentials (given password: 1q2w3e4r5t) Jul 18 21:37:54 auth: Info: ldap(username3,218.76.156.11,<OMqtppxUMADaTJwL>): invalid credentials (given password: 1q2w3e4r)
Different IPs, different usernames, but all (almost) the same password.
Any idea what we can do about this??
Any advice you could give us would be very much appreciated.
MJ
perhaps this
https://wiki.dovecot.org/HowTo/Fail2Ban
or you may adapt this
https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-yl...
https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/
to pop3(s)/imap(s) and your needs
Best Regards MfG Robert Schetterer
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein