[Dovecot] script to detect dictionary attacks

Sun Apr 7 00:13:19 EEST 2013

On Sat, 6 Apr 2013, Reindl Harald wrote:

>
>
> Am 06.04.2013 22:55, schrieb Max Pyziur:
>> On Sat, 6 Apr 2013, Reindl Harald wrote:
>>> has someone a script which can filter out dictionary attacks
>>> from /var/log/maillog and notify about the source-IPs?
>>>
>>> i know about fail2ban and so on, but i would like to have
>>> a mail with the IP address for two reasons and avoid fail2ban
>>> at all because it does not match in the way we maintain firewalls
>>>
>>> * add the IP to a distributed "iptables-block.sh" and distribute
>>>  it to any server with a comment and timestamp
>>> * write a abuse-mail to the ISP
>>
>> Thinking tangentially to this proposal, are there blacklists (BLs) maintained regarding known IPs perpetrating
>> attempts at pop/imap intrusions, much in the same way CBL does for spam, and OpenBL
>> (http://www.openbl.org/lists.html) does for ssh (primarily)?
>>
>> That way, you leave your iptables configuration status quo, and create a mechanism to use the resource (the BLs) to
>> populate your /etc/hosts.deny file, using tcp_wrappers to prevent intrusion/brute force attacks on service that
>> have open ports in the firewall
>
> i don't know but in fact i want not rely on automatisms and blacklists

CBL is fairly reliable; you can screen it based on originating countries 
(I use ip2cc available from perl-IP-Country-2.27-1.el6.noarch to find 
the originating country for particular ips). I'm tentatively using OpenBL 
to block dictionary attacks by way of ssh.

By way of logwatch, I see enough dictionary attacks on dovecot; I take 
those ips and hope to use them soon to block dovecot attacks. The problem 
is the "aging": there needs to be a mechanism that determines whether or 
not an ip continues to be a threat. The BLs are good for that - once an ip 
or, say, the first three octets, diminish in frequency of attacks, then 
based on some threshold that you set, you can remove that ip (or set of 
ips) as a hostile threat to a particular service that you are running on 
your server/servers.

> sometimes i recognize a dictionary attack because "tail -f" on the mailserver
> is running in background and after come back from a cigarette break i look
> a minute in the output and if i see attacks i add the IP after a whois to
> "iptables-block.sh"
>
> so i do not want to rely on automagic and if some IP is added to whatever
> blacklist hours or days later, i want simply a one-time mail notify to
> look NOW in maillog and take action or ignore it depending on the
> count and source
>
> if it is some ISP from a country far away -> block it
> if it is the fivth attempt from this ISP -> block the whole subnet
>
> if it is a major ISP of the country i live (asutria) -> only absue mail to the ISP

I understand the logic; I set a low threshold to label something being 
a threat for anything originating in China; the threshold is higher for 
things closer to home, since most of the traffic to the one server I 
control is from there.

MP
pyz at brama.com