under some kind of attack

Mihai Badici mihai at badici.ro
Tue Jul 18 23:28:39 EEST 2017


On Tuesday 18 July 2017 22:15:24 mj wrote:
> Hi,
> 
> Thanks for the quick follow-ups! Much appreciated. After posting this, I
> immediately started working on fail2ban. And between my initial posting
> and now, fail2ban already blocked 114 IPs.
> 
> I have fail2ban with maxretry=1 and bantime=1800
> 
> However, it seems almost all IPs are different, and I don't think I can
> keep the above settings permanently.
> 
> Robert, your iptables suggestions are _very_ interesting! However, will
> they also work on imaps/993, because of the ssl?
> 
> Thanks for the quick replies!
> 
> MJ



Why not? You can however let them retry 2-3 times , we all made mistakes :)
If there is a real user in that ban list you will help him to found and remove 
the malware in his network.  



> 
> On 07/18/2017 09:52 PM, Robert Schetterer wrote:
> > Am 18.07.2017 um 21:44 schrieb mj:
> >> Hi all,
> >> 
> >> It seems we are under some kind of password guessing attack:
> >>> Jul 18 21:33:33 auth: Info:
> >>> ldap(username1,103.6.223.61,<W7wLl5xUfABnBt89>): invalid credentials
> >>> (given password: 1q2w3e4r5t)
> >>> Jul 18 21:34:16 auth: Info:
> >>> ldap(username1,221.4.61.180,<89WnmZxUrADdBD20>): invalid credentials
> >>> (given password: 1q2w3e4r5t)
> >>> Jul 18 21:36:13 auth: Info:
> >>> ldap(username2,117.243.180.225,<ESWBoJxUdQB187Th>): invalid
> >>> credentials (given password: 1q2w3e4r)
> >>> Jul 18 21:36:50 auth: Info:
> >>> ldap(username2,58.59.103.230,<j7fQopxUNgA6O2fm>): invalid credentials
> >>> (given password: 1q2w3e4r)
> >>> Jul 18 21:36:56 auth: Info:
> >>> ldap(username4,58.215.13.154,<gtY5o5xUlQA61w2a>): invalid credentials
> >>> (given password: 1q2w3e4r5t)
> >>> Jul 18 21:37:18 auth: Info:
> >>> ldap(username3,220.175.154.205,<lFxppJxUFADcr5rN>): invalid
> >>> credentials (given password: 1q2w3e4r)
> >>> Jul 18 21:37:25 auth: Info:
> >>> ldap(username5,14.142.29.142,<40zopJxUSgAOjh2O>): invalid credentials
> >>> (given password: 1q2w3e4r)
> >>> Jul 18 21:37:27 auth: Info:
> >>> ldap(username4,119.1.98.121,<JDQOpZxUCwB3AWJ5>): invalid credentials
> >>> (given password: 1q2w3e4r5t)
> >>> Jul 18 21:37:54 auth: Info:
> >>> ldap(username3,218.76.156.11,<OMqtppxUMADaTJwL>): invalid credentials
> >>> (given password: 1q2w3e4r)
> >> 
> >> Different IPs, different usernames, but all (almost) the same password.
> >> 
> >> Any idea what we can do about this??
> >> 
> >> Any advice you could give us would be very much appreciated.
> >> 
> >> MJ
> > 
> > perhaps this
> > 
> > https://wiki.dovecot.org/HowTo/Fail2Ban
> > 
> > 
> > or you may adapt this
> > 
> > https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-> > ylmf-pc-mit-iptables-string-recent-smtp/
> > 
> > https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/
> > 
> > to pop3(s)/imap(s) and your needs
> > 
> > 
> > 
> > 
> > Best Regards
> > MfG Robert Schetterer



More information about the dovecot mailing list