On 2017-07-25 09:37, Olaf Hopp wrote: But the rate at which they
are knocking is very very low. So fail2ban will never catch them.
For example one IP:
Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): pam(eurodisc,101.231.247.210,<gAulHSNVsNZl5/fS>): unknown user Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): pam(gergei,101.231.247.210,<dPzYIyRVtOpl5/fS>): pam_authenticate() failed: Authentication failure (password mismatch?) Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): pam(icpe,101.231.247.210,<Ws6t3iRVkOhl5/fS>): unknown user Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user
OSSEC has at least two ways of stopping these:
- Repeat offenders option: this keeps track of the IP and increases the block time if they come back (within a defined timeframe).
- You can simply overwrite the rule looking for repeated attempts from the same IP and increase the timeframe option to hours instead of minutes.
Note the timestamps. If I look the other way round (tries to one account) I'll get
Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): pam(endsulei,60.166.12.117,<slp6mhhViI48pgx1>): unknown user Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): pam(endsulei,222.243.211.200,<s0+6nBhVabHe89PI>): unknown user Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): pam(endsulei,222.84.118.83,<kaE1qCJVn7neVHZT>): unknown user Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): pam(endsulei,206.214.0.120,<R5H56CRVdJfO1gB4>): unknown user
Also note the timestamps!
In this case, it looks like it's coming from several different IPs. If the IPs are in geographic regions which should never have a need to log in, you can deny them preemptively in rules.
You can also simply look for any attempt to authenticate to an unknown user and block that. It would be interesting to try to figure out a way to look for deviations from the normal naming convention, or perhaps try to identify something that looks random.
There are other options, as well. You can set up a CDB list with known bad IPs and populate them from threat lists of your choice.
All around, I think you'll find it much more capable and robust than fail2ban.
Disclaimer: I wrote the OSSEC Dovecot ruleset several years ago. I don't know if it is current (but I think it is being maintained).