I have fail2ban working for EVERYTHING else except dovecot. I have tried using my own custom regex in conjunction with the regex on the dovecot.org site. Neither are picked up by fail2ban and I'm trying to use an imminent attack agaist dovecot, going on now, to my advantage to see when I get the right regexp. Here are my current ones:
failregex = .*dovecot: (?:pop3-login|imap-login): (?:Disconnected|Aborted login) \((?:auth failed, .* attempts|no auth attempts)\):.*rip=<HOST>,.* <<< this is my custom (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* <<< from dovecot.org .*warning:.\S*\[(?P<host>)\]: SASL.(?:PLAIN|LOGIN).authentication failed:.*
Here is the current attack:
Jun 10 17:18:10 mail dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<rahul>, method=PLAIN, rip=113.12.82.71, lip=173.50.101.12
Can someone help me out a little?
Thanks,
Jerrale G
hi dovecot network
the principle of fail2ban is repeated for connections with the same login fail2ban does not work if the attack changes to login every time this type of attack is rather to find valid user accounts
I may be wrong, I hope I too am a victim of this kind of attacks
On Thu, 10 Jun 2010 17:19:24 -0400, Jerrale Gayle <jerralegayle@sheltoncomputers.com> wrote:
I have fail2ban working for EVERYTHING else except dovecot. I have tried
using my own custom regex in conjunction with the regex on the dovecot.org site. Neither are picked up by fail2ban and I'm trying to use an imminent attack agaist dovecot, going on now, to my advantage to see when I get the right regexp. Here are my current ones:
failregex = .*dovecot: (?:pop3-login|imap-login): (?:Disconnected|Aborted login) \((?:auth failed, .* attempts|no auth attempts)\):.*rip=<HOST>,.* <<< this is my custom (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* <<< from dovecot.org .*warning:.\S*\[(?P<host>)\]: SASL.(?:PLAIN|LOGIN).authentication failed:.*
Here is the current attack:
Jun 10 17:18:10 mail dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<rahul>, method=PLAIN, rip=113.12.82.71, lip=173.50.101.12
Can someone help me out a little?
Thanks,
Jerrale G
On Thu, Jun 10, 2010 at 5:38 PM, fakessh <fakessh@fakessh.eu> wrote:
hi dovecot network
the principle of fail2ban is repeated for connections with the same login fail2ban does not work if the attack changes to login every time this type of attack is rather to find valid user accounts
I may be wrong, I hope I too am a victim of this kind of attacks
On Thu, 10 Jun 2010 17:19:24 -0400, Jerrale Gayle <jerralegayle@sheltoncomputers.com> wrote:
I have fail2ban working for EVERYTHING else except dovecot. I have tried
using my own custom regex in conjunction with the regex on the dovecot.org site. Neither are picked up by fail2ban and I'm trying to use an imminent attack agaist dovecot, going on now, to my advantage to see when I get the right regexp. Here are my current ones:
failregex = .*dovecot: (?:pop3-login|imap-login): (?:Disconnected|Aborted login) \((?:auth failed, .* attempts|no auth attempts)\):.*rip=<HOST>,.* <<< this is my custom (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* <<< from dovecot.org .*warning:.\S*\[(?P<host>)\]: SASL.(?:PLAIN|LOGIN).authentication failed:.*
Here is the current attack:
Jun 10 17:18:10 mail dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<rahul>, method=PLAIN, rip=113.12.82.71, lip=173.50.101.12
Can someone help me out a little?
Thanks,
Jerrale G
A bit of a side thought, would it be possible to just ban an IP
trying to connect with a non-existent user?
On 6/10/2010 5:38 PM, fakessh wrote:
hi dovecot network
the principle of fail2ban is repeated for connections with the same login fail2ban does not work if the attack changes to login every time this type of attack is rather to find valid user accounts
I may be wrong, I hope I too am a victim of this kind of attacks
On Thu, 10 Jun 2010 17:19:24 -0400, Jerrale Gayle <jerralegayle@sheltoncomputers.com> wrote:
I have fail2ban working for EVERYTHING else except dovecot. I have tried
using my own custom regex in conjunction with the regex on the dovecot.org site. Neither are picked up by fail2ban and I'm trying to use an imminent attack agaist dovecot, going on now, to my advantage to see when I get the right regexp. Here are my current ones:
failregex = .*dovecot: (?:pop3-login|imap-login): (?:Disconnected|Aborted login) \((?:auth failed, .* attempts|no auth attempts)\):.*rip=<HOST>,.*<<< this is my custom (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*<<< from dovecot.org .*warning:.\S*\[(?P<host>)\]: SASL.(?:PLAIN|LOGIN).authentication failed:.*
Here is the current attack:
Jun 10 17:18:10 mail dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<rahul>, method=PLAIN, rip=113.12.82.71,
lip=173.50.101.12
Can someone help me out a little?
Thanks,
Jerrale G
WRONG: With regexp, you can have fail2ban ignore any part of the log file, as in ANYTHING containing text around anything will be caught. You can have fail2ban ban every ip address that shows up in the log!
Yeah, you're wrong. With regexp, you can have fail2ban ignore any part of the log file, as in ANYTHING containing text around anything will be caught. You can have fail2ban ban every ip address that shows up in the log!
On 6/10/2010 5:38 PM, fakessh wrote:
"hi dovecot network
the principle of fail2ban is repeated for connections with the same login fail2ban does not work if the attack changes to login every time this type of attack is rather to find valid user accounts"
I may be wrong, I hope I too am a victim of this kind of attacks
Yeah, you're wrong. With regexp, you can have fail2ban ignore any part of the log file, as in ANYTHING containing text around anything will be caught. You can have fail2ban ban every ip address that shows up in the log!
My regex to fail2ban for dovecot 2.0beta5 in user in sql base work like this!
failregex = dovecot: auth: sql.*,<HOST>.*: Password mismatch
dovecot: auth: sql.*,<HOST>.*: unknown user
And if you use smtp-auth in postfix truth dovecot here it is my regex for it
failregex = warning:.*\[<HOST>.*: SASL login authentication failed:.*
Sorry if this is not what you want!
[]'sf.rique
On Fri, Jun 11, 2010 at 2:00 AM, Jerrale Gayle < jerralegayle@sheltoncomputers.com> wrote:
Yeah, you're wrong. With regexp, you can have fail2ban ignore any part of the log file, as in ANYTHING containing text around anything will be caught. You can have fail2ban ban every ip address that shows up in the log!
On 6/10/2010 5:38 PM, fakessh wrote:
"hi dovecot network
the principle of fail2ban is repeated for connections with the same login fail2ban does not work if the attack changes to login every time this type of attack is rather to find valid user accounts"
I may be wrong, I hope I too am a victim of this kind of attacks
Yeah, you're wrong. With regexp, you can have fail2ban ignore any part of
the log file, as in ANYTHING containing text around anything will be caught. You can have fail2ban ban every ip address that shows up in the log!
On 11:59 AM, Jerrale Gayle wrote:
I have fail2ban working for EVERYTHING else except dovecot. I have tried using my own custom regex in conjunction with the regex on the dovecot.org site. Neither are picked up by fail2ban and I'm trying to use an imminent attack agaist dovecot, going on now, to my advantage to see when I get the right regexp. Here are my current ones:
failregex = .*dovecot: (?:pop3-login|imap-login): (?:Disconnected|Aborted login) \((?:auth failed, .* attempts|no auth attempts)\):.*rip=<HOST>,.* <<< this is my custom
There is an extra space following "(?:Disconnected|Aborted login)" in the above. There should be only one space, not two.
Note that fail2ban comes with a fail2ban-regex command for testing regexps against logs or log lines.
(?: pop3-login|imap-login): (?:Authentication
failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* <<< from dovecot.org .*warning:.\S*\[(?P<host>)\]: SASL.(?:PLAIN|LOGIN).authentication failed:.*
Here is the current attack:
Jun 10 17:18:10 mail dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<rahul>, method=PLAIN, rip=113.12.82.71, lip=173.50.101.12
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (6)
-
fakessh
-
Henrique Fernandes
-
Jerrale Gayle
-
John
-
Mark Sapiro
-
Mauricio Tavares