under another kind of attack

Tamsy dovecot-list at mohtex.net
Tue Jul 25 18:32:03 EEST 2017 

Olaf Hopp wrote on 25.07.2017 16:37:
> Hi folks,
>
> "somehow" similar to the thread "under some kind oof attack" started 
> by "MJ":
>
> I have dovecot shielded by fail2ban which works fine.
> But since a few days I see many many IPs per day knocking on
> my doors with wron password and/or users. But the rate at which they 
> are knocking
> is very very low. So fail2ban will never catch them.
>
> For example one IP:
>
> Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): 
> pam(eurodisc,101.231.247.210,<gAulHSNVsNZl5/fS>): unknown user
> Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): 
> pam(gergei,101.231.247.210,<dPzYIyRVtOpl5/fS>): pam_authenticate() 
> failed: Authentication failure (password mismatch?)
> Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): 
> pam(icpe,101.231.247.210,<Ws6t3iRVkOhl5/fS>): unknown user
> Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): 
> pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user
>
> Note the timestamps.
> If I look the other way round (tries to one account) I'll get
>
> Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): 
> pam(endsulei,60.166.12.117,<slp6mhhViI48pgx1>): unknown user
> Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): 
> pam(endsulei,222.243.211.200,<s0+6nBhVabHe89PI>): unknown user
> Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): 
> pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user
> Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): 
> pam(endsulei,222.84.118.83,<kaE1qCJVn7neVHZT>): unknown user
> Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): 
> pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user
> Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): 
> pam(endsulei,206.214.0.120,<R5H56CRVdJfO1gB4>): unknown user
>
> Also note the timestamps!
>
> And I see many many distinct IPs per day (a few hundred) trying many 
> many existing and non-existings accounts.
> As you see in the timestamps in my examples, this can not be handled 
> by fail2ban without affecting
> regular users with typos.
> Is anybody observing something similar ?
> Anybody an idea against this ?
> Many of these observed IPs are chinese mobile IPs, if this matters. 
> But we have also chinese students and
> researchers all abroad.
>
>
> Regards,
> Olaf
>

For those "unknown user" attacks on Dovecot we use a rule we named 
"dovecot-unknownusers.conf" with Fail2Ban:

<SNIP>
failregex = ^%(__prefix_line)sauth-worker\(\d+\): 
(pam|sql)\(\S+,<HOST>\): unknown user\s*$
<SNIP>

"findtime" we set to 5400 (90 minutes) with "maxretry" set to 2.

Works pretty well to block those pesty slow pace attacks.

More information about the dovecot mailing list