ot: how to block persistent same invalid account, different IPs

22 Dec 2017


      I've installed fail2ban, it seems to be working as it identified my failed
test logins, BUT, my question is:
what can I do when I see same invalid name trying to login to dovecot,
different IP each time, how can I say block each IP as used by this name ?
or it that a bad idea ?
I can see two persistent attempts as so:
I don't have such user 'ignacio' or 'julian'
#  grep ignacio.munoz  /var/log/dovecot.log | wc
178    3436   35624
#  grep ignacio.munoz  /var/log/dovecot.log | grep 'auth fail' | wc
178    3436   35624
#  grep julian  /var/log/dovecot.log | wc
178    3432   34321
#  grep julian  /var/log/dovecot.log | grep 'auth fail' | wc
178    3432   34321
last 6 tries, sometimes have just : , sometimes, with tld
Dec 22 17:00:33 imap-login: Info: Disconnected (auth failed, 1 attempts in
8 secs): user=ignacio.munoz@aaa.com, method=PLAIN, rip=157.122.183.218,
lip=163.47.110.6, TLS, session=<Z4JniOdgkgCderfa>
Dec 22 17:01:06 imap-login: Info: Disconnected (auth failed, 1 attempts in
7 secs): user=, method=PLAIN, rip=60.172.162.2,
lip=163.47.110.6, TLS, session=<CsdriudgWAA8rKIC>
Dec 22 18:58:26 imap-login: Info: Disconnected (auth failed, 1 attempts in
10 secs): user=ignacio.munoz@aaa.com, method=PLAIN, rip=60.30.224.189,
lip=163.47.110.6, TLS: Disconnected, session=<kvLWLelg0QA8HuC9>
Dec 22 18:58:59 imap-login: Info: Disconnected (auth failed, 1 attempts in
7 secs): user=, method=PLAIN, rip=220.164.2.138,
lip=163.47.110.6, TLS: Disconnected, session=
Dec 22 19:30:28 imap-login: Info: Disconnected (auth failed, 1 attempts in
6 secs): user=ignacio.munoz@aaa.com, method=PLAIN, rip=113.8.194.3,
lip=163.47.110.6, TLS, session=<jfSgoOlgswBxCMID>
Dec 22 19:31:09 imap-login: Info: Disconnected (auth failed, 1 attempts in
6 secs): user=, method=PLAIN, rip=58.210.119.226,
lip=163.47.110.6, TLS, session=
--
Voytek

Voytek Eymont

Jeff Abrahamson

Marcus Rueckert

tags

participants (3)