Dear collegues,
many thanks for your valuable input.
Since we are an university GEO-IP blocking is not an option for us. Somestimes I think it should ;-)
My "mistake" was that I had just *one* fail2ban filter for both cases: "wrong password" and "unknown user".
Now I have two distinct jails: The first one just for "wrong password" and here the findtime, bantime, retries are tolerant to typos.
And I have a new one just for "unknown user" and here my bantime and findtime are much bigger and the retries are just '2'. So here I'm much harsher. I'll keep an eye on my logs and maybe some more twaeking is necessary.
Another interesting observation: I activated auth_verbose_passwords = plain to log the plain password when (and only when) there is "unknown user". It reveals that all different IPs trying one unknown account always try with the same stupid password scheme <ACCOUNT>1234. So this doesn't look very well coordinated between the bots ;-)
Regards, Olaf
On 07/25/2017 04:37 PM, Olaf Hopp wrote:
Hi folks,
"somehow" similar to the thread "under some kind oof attack" started by "MJ":
I have dovecot shielded by fail2ban which works fine. But since a few days I see many many IPs per day knocking on my doors with wron password and/or users. But the rate at which they are knocking is very very low. So fail2ban will never catch them.
For example one IP:
Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): pam(eurodisc,101.231.247.210,
): unknown user Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): pam(gergei,101.231.247.210, ): pam_authenticate() failed: Authentication failure (password mismatch?) Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): pam(icpe,101.231.247.210, ): unknown user Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210, ): unknown user Note the timestamps. If I look the other way round (tries to one account) I'll get
Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): pam(endsulei,60.166.12.117,<slp6mhhViI48pgx1>): unknown user Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): pam(endsulei,222.243.211.200,
): unknown user Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): pam(endsulei,222.84.118.83,<kaE1qCJVn7neVHZT>): unknown user Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210, ): unknown user Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): pam(endsulei,206.214.0.120,<R5H56CRVdJfO1gB4>): unknown user Also note the timestamps!
And I see many many distinct IPs per day (a few hundred) trying many many existing and non-existings accounts. As you see in the timestamps in my examples, this can not be handled by fail2ban without affecting regular users with typos. Is anybody observing something similar ? Anybody an idea against this ? Many of these observed IPs are chinese mobile IPs, if this matters. But we have also chinese students and researchers all abroad.
Regards, Olaf
-- Karlsruher Institut für Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik
Dipl.-Geophys. Olaf Hopp
- Leitung IT-Dienste -
Am Fasanengarten 5, Gebäude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: Olaf.Hopp@kit.edu atis.informatik.kit.edu
www.kit.edu
KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft
Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.