I would like to create a fail2ban filer, that scans for these lines:

...

Jul 20 11:10:09 auth: Info: ldap(user1,60.166.35.162,<cDFXHbxUQgA8piOi>): invalid credentials (given password: password) Jul 20 11:10:19 auth: Info: ldap(user2,61.53.66.4,): invalid credentials (given password: password)

(as you can see, I have enabled auth_verbose_passwords to do this, making me very uncomfortable...)

Anyway: since there are only a few password variations, I would like to block anyone using those passwords.

With all the constraints and processing, I'll offer yet another option: use the checkpassword password authentication scheme. This will bypass post-authentcation log-sniffing and allow you direct access to username, password and client IP (the last I'm not positive about) at authentication time.

Now you'll have everything you need to do any wild and crazy auth processing, including database searches and triggering firewall blocking based on whatever crietria you want (including common password use).

As to how to integrate it into your dovecot, I'm not sure whether it's best to supplant the LDAP method and authenticate within the checkpassword script, or to put it as the first authentication method (ahead of LDAP) to get first crack at inspect at authentication data, or the fallback authentication method (after LDAP) to pick up all the failures.

However, after running honeypots, I can tell you that although BFD attackers will common use passwords, any static list of abused passwords will miss a lot. (A common one they use is $password=variations($user) or variation($domain)). Number of auth failure limits should also be a criteria for banning. Extinct users are also good candidates for instant banning.

Joseph Tam jtam.home@gmail.com