Olaf Hopp <Olaf.Hopp@kit.edu> writes:

I have dovecot shielded by fail2ban which works fine. But since a few days I see many many IPs per day knocking on my doors with wron password and/or users. But the rate at which they are knocking is very very low. So fail2ban will never catch them.

Slow roll distributed attacks. Really hard to stop.

And I see many many distinct IPs per day (a few hundred) trying many many existing and non-existings accounts. As you see in the timestamps in my examples, this can not be handled by fail2ban without affecting regular users with typos. Is anybody observing something similar ?

All the time, and to many services. If you need to be fault tolerant, you'll either have to set tolerant limits (allow reasonable number of failures), or timeout features. You could also track successful logins as whitelisting entries for future logins.

Anybody an idea against this ? Many of these observed IPs are chinese mobile IPs, if this matters. But we have also chinese students and researchers all abroad.

Nearly an intractable problem, especially since your users are embedded in a notoriously infested network (as someone quipped, "like picking marshmallows out from a pile of sh*t").

Some ideas:

- pre-emption (using third party RBLs that targets BFD)
- immediate blacklisting of known bad users/passwords
	(e.g. "admin", "support", extinct users, etc.)
- persistent tracking storage: tracking in SQL, or
	or large LRU list that can reach far enough back
	in time.

(I think Aki mentioned weakforced which you can use instead if fail2ban to implement some of these things.)

There are other solutions like alternate ports, port knocking, certificate authentication, or VPN, but they are hard/impossible to do with a large userbase, or have high setup/amortization costs.

If you have a enforced strong password policy, these brute forcers have little chance of succeeding, so maybe the easiest cheapest policy is to ignore it.

Joseph Tam <jtam.home@gmail.com>