under some kind of attack
Aki Tuomi
aki.tuomi at dovecot.fi
Thu Jul 20 12:23:34 EEST 2017
On 20.07.2017 12:16, mj wrote:
> Hi all,
>
> If I may, one more question on this subject:
>
> I would like to create a fail2ban filer, that scans for these lines:
>
>> Jul 20 11:10:09 auth: Info:
>> ldap(user1,60.166.35.162,<cDFXHbxUQgA8piOi>): invalid credentials
>> (given password: password)
>> Jul 20 11:10:19 auth: Info:
>> ldap(user2,61.53.66.4,<V+nyHbxU+wA9NUIE>): invalid credentials (given
>> password: password)
>
> (as you can see, I have enabled auth_verbose_passwords to do this,
> making me very uncomfortable...)
>
> Anyway: since there are only a few password variations, I would like
> to block anyone using those passwords.
>
> (since the connections are over TLS/SSL, I cannot use iptables, as
> suggested earlier)
>
> So I need a specific fail2ban rule that extracts the <IP> from that
> line, and matches on "(given password: password)"
>
> Can anyone here help out with a failregex line that would match..?
You could use https://github.com/PowerDNS/weakforced here. It lets you
execute arbitrary actions in addition to just outright blocking the users.
Aki
More information about the dovecot
mailing list