under some kind of attack

Robert Schetterer rs at sys4.de
Thu Jul 20 19:43:53 EEST 2017 

Am 20.07.2017 um 12:28 schrieb mj:
> I have concoted something that seems to work. And for the archives, this
> is it:
> 
>> failregex = auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials
>> \(given password: .+ssword\)
>>             auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials
>> \(given password: 1qaz2wsx\)
>>             auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials
>> \(given password: 123321\)
>>             auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials
>> \(given password: 1234567890\)
>>             auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials
>> \(given password: 1q2w3e4r.+\)
> 
> It's still reactive, and not pro-active.
> 
> All the other suggestions are very much appreciated, including
> weakforced, however implementing that is a much larger project.

i dont understand why you focused on that ldap strings
fail2ban should trigger on some "Authentication failure" regex in the
related syslog

perhaps this will help to make it more clear

http://www.stefan-seelmann.de/wiki/fail2ban#postfix-and-dovecot



> 
> Next I have to find out how to feed my fail2ban logs back to
> blocklist.de, to improve their mail.txt hit rate.
> 
> Thanks again for all kind assistance.
> 
> MJ
> 
> On 07/20/2017 11:16 AM, mj wrote:
>> Hi all,
>>
>> If I may, one more question on this subject:
>>
>> I would like to  create a fail2ban filer, that scans for these lines:
>>
>>> Jul 20 11:10:09 auth: Info:
>>> ldap(user1,60.166.35.162,<cDFXHbxUQgA8piOi>): invalid credentials
>>> (given password: password)
>>> Jul 20 11:10:19 auth: Info:
>>> ldap(user2,61.53.66.4,<V+nyHbxU+wA9NUIE>): invalid credentials (given
>>> password: password)
>>
>> (as you can see, I have enabled auth_verbose_passwords to do this,
>> making me very uncomfortable...)
>>
>> Anyway: since there are only a few password variations, I would like
>> to block anyone using those passwords.
>>
>> (since the connections are over TLS/SSL, I cannot use iptables, as
>> suggested earlier)
>>
>> So I need a specific fail2ban rule that extracts the <IP> from that
>> line, and matches on "(given password: password)"
>>
>> Can anyone here help out with a failregex line that would match..?



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the dovecot mailing list