under another kind of attack

Robert Schetterer rs at sys4.de
Tue Jul 25 22:00:51 EEST 2017 

Am 25.07.2017 um 16:54 schrieb mj:
> Hi Olaf,
> 
> Since we implemented country blocking, everything seems nicely under
> control, with only 'normal levels' of knocking.
> 
> We first have impemented:
> http://blog.jeshurun.ca/technology/block-countries-ubuntu-iptables-xtables-geoip
> 
> 
> Then we did:
> https://github.com/firehol/blocklist-ipsets

simply geoip blocking may work at your site
but it does not work for many other cases

> 
> And finale iptables rules like these:
> 
>> iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc
>> CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP
>> iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc
>> MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP
>> iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc
>> MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP
>> iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc CR,MZ -j DROP
>>
>> iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc
>> CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP
>> iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc
>> MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP
>> iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc
>> MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP
>> iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc CR,MZ -j DROP
>>
>> iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc
>> CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP
>> iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc
>> MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP
>> iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc
>> MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP
>> iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc CR,MZ -j DROP
> 
> I tried to combine the various dports in one single rule, but that
> didn't seem to work. Perhaps someone here knows how to combine --match
> "geoip" and "multiport" in one single rule?
> 
> Anyway: for us these combined measures did the tric.
> 
> Users in one of the imap-blocked countries will have to use ActiveSync
> (works over https), the webmail-interface, or launch the VPN first.
> 
> This works for us.
> 
> Only one thing on my wishlist: application specific passwords. I would
> very much appreciate a respond on that thread... (posted yesterday
> evening, with a pseudo-dovecot-config file...)
> 
> Hope the above helps you a bit, Olaf.
> 
> MJ
> 
> On 07/25/2017 04:37 PM, Olaf Hopp wrote:
>> Hi folks,
>>
>> "somehow" similar to the thread "under some kind oof attack" started
>> by "MJ":
>>
>> I have dovecot shielded by fail2ban which works fine.
>> But since a few days I see many many IPs per day knocking on
>> my doors with wron password and/or users. But the rate at which they
>> are knocking
>> is very very low. So fail2ban will never catch them.
>>
>> For example one IP:
>>
>> Jul 25 14:03:17 irams1 dovecot: auth-worker(2212):
>> pam(eurodisc,101.231.247.210,<gAulHSNVsNZl5/fS>): unknown user
>> Jul 25 15:16:36 irams1 dovecot: auth-worker(11047):
>> pam(gergei,101.231.247.210,<dPzYIyRVtOpl5/fS>): pam_authenticate()
>> failed: Authentication failure (password mismatch?)
>> Jul 25 16:08:51 irams1 dovecot: auth-worker(3379):
>> pam(icpe,101.231.247.210,<Ws6t3iRVkOhl5/fS>): unknown user
>> Jul 25 16:10:47 irams1 dovecot: auth-worker(4250):
>> pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user
>>
>> Note the timestamps.
>> If I look the other way round (tries to one account) I'll get
>>
>> Jul 25 01:30:48 irams1 dovecot: auth-worker(11276):
>> pam(endsulei,60.166.12.117,<slp6mhhViI48pgx1>): unknown user
>> Jul 25 01:31:26 irams1 dovecot: auth-worker(11276):
>> pam(endsulei,222.243.211.200,<s0+6nBhVabHe89PI>): unknown user
>> Jul 25 13:29:22 irams1 dovecot: auth-worker(4745):
>> pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user
>> Jul 25 13:30:27 irams1 dovecot: auth-worker(4747):
>> pam(endsulei,222.84.118.83,<kaE1qCJVn7neVHZT>): unknown user
>> Jul 25 16:10:47 irams1 dovecot: auth-worker(4250):
>> pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user
>> Jul 25 16:11:45 irams1 dovecot: auth-worker(5933):
>> pam(endsulei,206.214.0.120,<R5H56CRVdJfO1gB4>): unknown user
>>
>> Also note the timestamps!
>>
>> And I see many many distinct IPs per day (a few hundred) trying many
>> many existing and non-existings accounts.
>> As you see in the timestamps in my examples, this can not be handled
>> by fail2ban without affecting
>> regular users with typos.
>> Is anybody observing something similar ?
>> Anybody an idea against this ?
>> Many of these observed IPs are chinese mobile IPs, if this matters.
>> But we have also chinese students and
>> researchers all abroad.
>>
>>
>> Regards,
>> Olaf
>>



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the dovecot mailing list