under another kind of attack

Darac Marjal mailinglist at darac.org.uk
Tue Jul 25 18:25:06 EEST 2017 

On Tue, Jul 25, 2017 at 04:37:23PM +0200, Olaf Hopp wrote:
>Hi folks,
>
>"somehow" similar to the thread "under some kind oof attack" started by "MJ":
>
>I have dovecot shielded by fail2ban which works fine.
>But since a few days I see many many IPs per day knocking on
>my doors with wron password and/or users. But the rate at which they are knocking
>is very very low. So fail2ban will never catch them.

Of course it will. You just need to set the "findtime" high enough.
Personally, on my very quiet home server, I have findtime set to 7200 (2
hours) and maxretry set to 5, meaning that if a host fails to
authenticate 5 times in two hours, they're banned (I have a fairly harsh
ban time of a week, so that stops them coming back too soon).

>
>For example one IP:
>
>Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): pam(eurodisc,101.231.247.210,<gAulHSNVsNZl5/fS>): unknown user
>Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): pam(gergei,101.231.247.210,<dPzYIyRVtOpl5/fS>): pam_authenticate() failed: Authentication failure (password mismatch?)
>Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): pam(icpe,101.231.247.210,<Ws6t3iRVkOhl5/fS>): unknown user
>Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user
>
>Note the timestamps.
>If I look the other way round (tries to one account) I'll get
>
>Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): pam(endsulei,60.166.12.117,<slp6mhhViI48pgx1>): unknown user
>Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): pam(endsulei,222.243.211.200,<s0+6nBhVabHe89PI>): unknown user
>Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user
>Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): pam(endsulei,222.84.118.83,<kaE1qCJVn7neVHZT>): unknown user
>Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user
>Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): pam(endsulei,206.214.0.120,<R5H56CRVdJfO1gB4>): unknown user
>
>Also note the timestamps!
>
>And I see many many distinct IPs per day (a few hundred) trying many many existing and non-existings accounts.
>As you see in the timestamps in my examples, this can not be handled by fail2ban without affecting
>regular users with typos.
>Is anybody observing something similar ?
>Anybody an idea against this ?
>Many of these observed IPs are chinese mobile IPs, if this matters. But we have also chinese students and
>researchers all abroad.
>
>
>Regards,
>Olaf
>
>-- 
>Karlsruher Institut für Technologie (KIT)
>ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik
>
>Dipl.-Geophys. Olaf Hopp
>- Leitung IT-Dienste -
>
>Am Fasanengarten 5, Gebäude 50.34, Raum 009
>76131 Karlsruhe
>Telefon: +49 721 608-43973
>Fax: +49 721 608-46699
>E-Mail: Olaf.Hopp at kit.edu
>atis.informatik.kit.edu
>
>www.kit.edu
>
>KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft
>
>Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.
>
>



-- 
For more information, please reread.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 906 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20170725/4cd14472/attachment.sig>

More information about the dovecot mailing list