[Dovecot] script to detect dictionary attacks
Hi
has someone a script which can filter out dictionary attacks from /var/log/maillog and notify about the source-IPs?
i know about fail2ban and so on, but i would like to have a mail with the IP address for two reasons and avoid fail2ban at all because it does not match in the way we maintain firewalls
- add the IP to a distributed "iptables-block.sh" and distribute it to any server with a comment and timestamp
- write a abuse-mail to the ISP
W dniu 2013-04-06 13:18, Reindl Harald pisze:
Hi
Hi!
has someone a script which can filter out dictionary attacks from /var/log/maillog and notify about the source-IPs?
i know about fail2ban and so on, but i would like to have a mail with the IP address for two reasons and avoid fail2ban at all because it does not match in the way we maintain firewalls
- add the IP to a distributed "iptables-block.sh" and distribute it to any server with a comment and timestamp
- write a abuse-mail to the ISP
What about ...fail2ban?:) You can define to run any script when fail2ban detects bruteforce. You can pass <ip> as parameter to script. Fail2ban can also send email to proper abuse. Maybe I'm wrong but reading what you wrote about needings it looks fail2ban can do it. Marcin
Am 06.04.2013 13:18, schrieb Reindl Harald:
Hi
has someone a script which can filter out dictionary attacks from /var/log/maillog and notify about the source-IPs?
i know about fail2ban and so on, but i would like to have a mail with the IP address for two reasons and avoid fail2ban at all because it does not match in the way we maintain firewalls
- add the IP to a distributed "iptables-block.sh" and distribute it to any server with a comment and timestamp
- write a abuse-mail to the ISP
Hi Harald, not exactly
but i have written some blog to detect and alarm via xymon by brute force dovecot
http://sys4.de/de/blog/2013/01/29/howto-monitor-brute-force-attacks-on-dovec...
as well i have some blog
about using iptables out of rsyslog pipe recent to drop ips
http://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-mo...
mix it up somekind in scripts and produce some mail to abuse mail account found by whois, to me alarming is enough, at my servers it looks like most alarms are comming from users with wrong login data etc , real brute force are rare
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
Reindl Harald skrev den 2013-04-06 13:18:
has someone a script which can filter out dictionary attacks from /var/log/maillog and notify about the source-IPs?
yes i have :)
pflogsumm
i know about fail2ban and so on, but i would like to have a mail with the IP address for two reasons and avoid fail2ban at all because it does not match in the way we maintain firewalls
its simple to make a filter that checks unknown user in postfix logs, its even more simple if one make syslog to sql, then postfix can live block that ip that sends to unknown users
- add the IP to a distributed "iptables-block.sh" and distribute it to any server with a comment and timestamp
- write a abuse-mail to the ISP
that would be cool, lol :)
Am 06.04.2013 14:24, schrieb Benny Pedersen:
Reindl Harald skrev den 2013-04-06 13:18:
has someone a script which can filter out dictionary attacks from /var/log/maillog and notify about the source-IPs?
yes i have :)
pflogsumm
has to do what with IMAP/POP3 Logins?
i know about fail2ban and so on, but i would like to have a mail with the IP address for two reasons and avoid fail2ban at all because it does not match in the way we maintain firewalls
its simple to make a filter that checks unknown user in postfix logs, its even more simple if one make syslog to sql, then postfix can live block that ip that sends to unknown users
but nobody speaks about postfix
- add the IP to a distributed "iptables-block.sh" and distribute it to any server with a comment and timestamp
- write a abuse-mail to the ISP
that would be cool, lol :)
what would be cool? what *lol*?
i speak about a simple way to get a notify of the brute-forcing IP and the both are MANUAL tasks i do since virtually forever
Reindl Harald skrev den 2013-04-06 14:43:
has to do what with IMAP/POP3 Logins?
patch / hack it to dovecot
but nobody speaks about postfix
and nobody use sql logs
i speak about a simple way to get a notify of the brute-forcing IP and the both are MANUAL tasks i do since virtually forever
if it was simple, others have writed it already
http://wiki.dovecot.org/HowTo/Fail2Ban
note that it works on dovecot 1.x aswell, no need to upgrade :)
Am 06.04.2013 14:52, schrieb Benny Pedersen:
Reindl Harald skrev den 2013-04-06 14:43:
has to do what with IMAP/POP3 Logins?
patch / hack it to dovecot
f**k yourself
but nobody speaks about postfix and nobody use sql logs
are you drunken or what has this to do with sql logs?
i am using both, so what the question was a already present script instead write my own
so if you have nothing to say better shut up
i speak about a simple way to get a notify of the brute-forcing IP and the both are MANUAL tasks i do since virtually forever
if it was simple, others have writed it already
and that was the question
the question was a script to parse maillog and simüply notify and NOT fail2ban or whatever long-living process and NOT directly touch iptables, iptables-config is distributed with a inhosue solution accros the whole infrastructure
note that it works on dovecot 1.x aswell, no need to upgrade :)
keep your silly smilies for yourself
[root@mail:~]$ rpm -q dovecot dovecot-2.1.16-4.fc17.20130405.rh.x86_64
Reindl Harald skrev den 2013-04-06 14:59:
keep your silly smilies for yourself
haha
[root@mail:~]$ rpm -q dovecot dovecot-2.1.16-4.fc17.20130405.rh.x86_64
you live in a precompiled problem
learn grep, cut, sort, and more on how to use fail2ban, just ignore my help will not solve it for you
Am 06.04.2013 16:04, schrieb Benny Pedersen:
Reindl Harald skrev den 2013-04-06 14:59:
keep your silly smilies for yourself haha
what haha? you are a young boy with no knowledge proven many times
[root@mail:~]$ rpm -q dovecot dovecot-2.1.16-4.fc17.20130405.rh.x86_64 you live in a precompiled problem
idiot guess what the "rh" in "20130405.rh" means
learn grep, cut, sort, and more
boy i am developer and use them all the day a lot
on how to use fail2ban just ignore my help will not solve it for you
to help you would need to understand the question
what did you idiot not undersatnd in the inital post that fail2ban does not interest me because i do NOT want shorewall and whatever piece of crap on the infrastrcuture?
gamin-python, python-inotify, shorewall, shorewall-core are not neeeded here PERIOD
[root@buildserver:~]$ LANG=C; yum install fail2ban Loaded plugins: etckeeper, presto, protectbase, security 0 packages excluded due to repository protections Resolving Dependencies --> Running transaction check ---> Package fail2ban.noarch 0:0.8.8-2.fc17 will be installed --> Processing Dependency: shorewall for package: fail2ban-0.8.8-2.fc17.noarch --> Processing Dependency: python-inotify for package: fail2ban-0.8.8-2.fc17.noarch --> Processing Dependency: gamin-python for package: fail2ban-0.8.8-2.fc17.noarch --> Running transaction check ---> Package gamin-python.x86_64 0:0.1.10-12.fc17 will be installed ---> Package python-inotify.noarch 0:0.9.4-1.fc17 will be installed ---> Package shorewall.noarch 0:4.5.7.1-2.fc17 will be installed --> Processing Dependency: shorewall-core = 4.5.7.1-2.fc17 for package: shorewall-4.5.7.1-2.fc17.noarch --> Running transaction check ---> Package shorewall-core.noarch 0:4.5.7.1-2.fc17 will be installed --> Finished Dependency Resolution --> Finding unneeded leftover dependencies
not sure if relevant, apologize if not:
fwiw, I think csf/lfd (that came on my server) does similar job, detecting login failures and blocking offenders/suspects
v
On Sat, 6 Apr 2013, Reindl Harald wrote:
Hi
has someone a script which can filter out dictionary attacks from /var/log/maillog and notify about the source-IPs?
i know about fail2ban and so on, but i would like to have a mail with the IP address for two reasons and avoid fail2ban at all because it does not match in the way we maintain firewalls
- add the IP to a distributed "iptables-block.sh" and distribute it to any server with a comment and timestamp
- write a abuse-mail to the ISP
Thinking tangentially to this proposal, are there blacklists (BLs) maintained regarding known IPs perpetrating attempts at pop/imap intrusions, much in the same way CBL does for spam, and OpenBL (http://www.openbl.org/lists.html) does for ssh (primarily)?
That way, you leave your iptables configuration status quo, and create a mechanism to use the resource (the BLs) to populate your /etc/hosts.deny file, using tcp_wrappers to prevent intrusion/brute force attacks on service that have open ports in the firewall.
Thanks,
Max Pyziur pyz@brama.com
Am 06.04.2013 22:55, schrieb Max Pyziur:
On Sat, 6 Apr 2013, Reindl Harald wrote:
has someone a script which can filter out dictionary attacks from /var/log/maillog and notify about the source-IPs?
i know about fail2ban and so on, but i would like to have a mail with the IP address for two reasons and avoid fail2ban at all because it does not match in the way we maintain firewalls
- add the IP to a distributed "iptables-block.sh" and distribute it to any server with a comment and timestamp
- write a abuse-mail to the ISP
Thinking tangentially to this proposal, are there blacklists (BLs) maintained regarding known IPs perpetrating attempts at pop/imap intrusions, much in the same way CBL does for spam, and OpenBL (http://www.openbl.org/lists.html) does for ssh (primarily)?
That way, you leave your iptables configuration status quo, and create a mechanism to use the resource (the BLs) to populate your /etc/hosts.deny file, using tcp_wrappers to prevent intrusion/brute force attacks on service that have open ports in the firewall
i don't know but in fact i want not rely on automatisms and blacklists
sometimes i recognize a dictionary attack because "tail -f" on the mailserver is running in background and after come back from a cigarette break i look a minute in the output and if i see attacks i add the IP after a whois to "iptables-block.sh"
so i do not want to rely on automagic and if some IP is added to whatever blacklist hours or days later, i want simply a one-time mail notify to look NOW in maillog and take action or ignore it depending on the count and source
if it is some ISP from a country far away -> block it if it is the fivth attempt from this ISP -> block the whole subnet
if it is a major ISP of the country i live (asutria) -> only absue mail to the ISP
On Sat, 6 Apr 2013, Reindl Harald wrote:
Am 06.04.2013 22:55, schrieb Max Pyziur:
On Sat, 6 Apr 2013, Reindl Harald wrote:
has someone a script which can filter out dictionary attacks from /var/log/maillog and notify about the source-IPs?
i know about fail2ban and so on, but i would like to have a mail with the IP address for two reasons and avoid fail2ban at all because it does not match in the way we maintain firewalls
- add the IP to a distributed "iptables-block.sh" and distribute it to any server with a comment and timestamp
- write a abuse-mail to the ISP
Thinking tangentially to this proposal, are there blacklists (BLs) maintained regarding known IPs perpetrating attempts at pop/imap intrusions, much in the same way CBL does for spam, and OpenBL (http://www.openbl.org/lists.html) does for ssh (primarily)?
That way, you leave your iptables configuration status quo, and create a mechanism to use the resource (the BLs) to populate your /etc/hosts.deny file, using tcp_wrappers to prevent intrusion/brute force attacks on service that have open ports in the firewall
i don't know but in fact i want not rely on automatisms and blacklists
CBL is fairly reliable; you can screen it based on originating countries (I use ip2cc available from perl-IP-Country-2.27-1.el6.noarch to find the originating country for particular ips). I'm tentatively using OpenBL to block dictionary attacks by way of ssh.
By way of logwatch, I see enough dictionary attacks on dovecot; I take those ips and hope to use them soon to block dovecot attacks. The problem is the "aging": there needs to be a mechanism that determines whether or not an ip continues to be a threat. The BLs are good for that - once an ip or, say, the first three octets, diminish in frequency of attacks, then based on some threshold that you set, you can remove that ip (or set of ips) as a hostile threat to a particular service that you are running on your server/servers.
sometimes i recognize a dictionary attack because "tail -f" on the mailserver is running in background and after come back from a cigarette break i look a minute in the output and if i see attacks i add the IP after a whois to "iptables-block.sh"
so i do not want to rely on automagic and if some IP is added to whatever blacklist hours or days later, i want simply a one-time mail notify to look NOW in maillog and take action or ignore it depending on the count and source
if it is some ISP from a country far away -> block it if it is the fivth attempt from this ISP -> block the whole subnet
if it is a major ISP of the country i live (asutria) -> only absue mail to the ISP
I understand the logic; I set a low threshold to label something being a threat for anything originating in China; the threshold is higher for things closer to home, since most of the traffic to the one server I control is from there.
MP pyz@brama.com
On 4/6/2013 2:13 PM, Max Pyziur wrote:
On Sat, 6 Apr 2013, Reindl Harald wrote:
if it is some ISP from a country far away -> block it if it is the fivth attempt from this ISP -> block the whole subnet
if it is a major ISP of the country i live (asutria) -> only absue mail to the ISP
I understand the logic; I set a low threshold to label something being a threat for anything originating in China; the threshold is higher for things closer to home, since most of the traffic to the one server I control is from there.
The problem with a non-automated system, such as manually blocking China, is that it does not easily and quickly adapt.
Both of the following I have experienced:
- Excessive spam and hacking from China. I blocked China. Then I got a client that did business in China and had a branch office there. Suddenly I cannot block login attempts from China. And the users complains loudly about the excessive reject rate of legitimate emails from Chinese customers due to the spam filters. Also, legitimate users in China pick weak passwords which get hacked. Convincing the customer to improve passwords, security, use a VPN for Chinese users to access email so I can block China again were unsuccessful.
While this is a bit beyond the scope of this list, the underlying problem is that in many far east countries, hacking is not illegal and thus there is no fear of getting caught, since there is no punishment. The real solution is to change those laws and have those countries enforce the laws. Good luck with that, however.
- I tried compiling a list of IPs used for hacking. As a test, I manually put them into the firewall to see if that stops anything. Results were that a single IP will attempt to brute force several hundred passwords, but then I never hear from that IP again, so the firewall block was pointless. However another, seemingly unrelated IP, takes up the brute force attack. Without an automated system, like fail2ban, I am just playing Whack-A-Mole and never actually manage to block any attempts.
In a different scenario, I also see 1-2 attempts from each IP in a group of thousands of IPs. These IPs do have legitimate users within them, so I cannot block whole IP ranges.
All these indicate that the brute force attacks are being implemented on zombie nets.
I do not see a perfect solution, or even a good one. A mediocre solution is a combination of fail2ban (which I have implemented), and enforcing strong passwords.
A feature that would be nice is if Dovecot could detect that X bad attempts for a given User ID happen in Y time, then that User ID is blocked (always gives back a bad authentication, even if the correct password is entered) for Z time. Also, Dovecot could slow down its reply, much like a tarpit. These would be configurable.
For example, if 3 bad password attempts are received for user@domain.com within 2 minutes, then the user is blocked for 10 minutes. That with strong passwords will make the system reasonably safe from zombie net attacks. Also, the tarpit feature would slow down the attacks and ease the bandwidth issue.
I am very willing to work with anyone on a solution that works better than these methods. As I see it, in order for a blacklist to work, it has to be large and distributed, like the spam blacklists are. Dovecot would need to report to the blacklist cloud, any IPs that it detects are being used to launch attacks. This is a big undertaking.
Dem
Am 06.04.2013 23:48, schrieb Professa Dementia:
Both of the following I have experienced:
- Excessive spam and hacking from China. I blocked China. Then I got a client that did business in China and had a branch office there. Suddenly I cannot block login attempts from China. And the users complains loudly about the excessive reject rate of legitimate emails from Chinese customers due to the spam filters.
again:
- i am on the dovecot list
- i speak about dictionary attacks on POP3/IMAP
- reject rate is not a topic here
well, even if i would speak about the MTA it would not be a topic the MTA is a commercial spam-appliance and postfix not directly the MX
Hi Reindl.
I have a similar script to detect brute force attacs to dovecot sasl auth sistem, it's very simple to adapt to pop/imap failures log:
http://psi.com.br/~julio/postfix/sasl-killer.sh
Regards,
--
_ Julio Cesar Covolato
0v0 <julio@psi.com.br>/(_)\ F: 55-11-3129-3366 ^ ^ PSI INTERNET
Em 06-04-2013 08:18, Reindl Harald escreveu:
Hi
has someone a script which can filter out dictionary attacks from /var/log/maillog and notify about the source-IPs?
i know about fail2ban and so on, but i would like to have a mail with the IP address for two reasons and avoid fail2ban at all because it does not match in the way we maintain firewalls
- add the IP to a distributed "iptables-block.sh" and distribute it to any server with a comment and timestamp
- write a abuse-mail to the ISP
participants (8)
-
Benny Pedersen
-
Julio Cesar Covolato
-
Marcin Mirosław
-
Max Pyziur
-
Professa Dementia
-
Reindl Harald
-
Robert Schetterer
-
voytek@sbt.net.au