under another kind of attack

Michael Starks dovecot at michaelstarks.com
Wed Jul 26 00:36:20 EEST 2017 

On 2017-07-25 09:37, Olaf Hopp wrote:
But the rate at which they
> are knocking
> is very very low. So fail2ban will never catch them.
> 
> For example one IP:
> 
> Jul 25 14:03:17 irams1 dovecot: auth-worker(2212):
> pam(eurodisc,101.231.247.210,<gAulHSNVsNZl5/fS>): unknown user
> Jul 25 15:16:36 irams1 dovecot: auth-worker(11047):
> pam(gergei,101.231.247.210,<dPzYIyRVtOpl5/fS>): pam_authenticate()
> failed: Authentication failure (password mismatch?)
> Jul 25 16:08:51 irams1 dovecot: auth-worker(3379):
> pam(icpe,101.231.247.210,<Ws6t3iRVkOhl5/fS>): unknown user
> Jul 25 16:10:47 irams1 dovecot: auth-worker(4250):
> pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user

OSSEC has at least two ways of stopping these:

1. Repeat offenders option: this keeps track of the IP and increases the 
block time if they come back (within a defined timeframe).
2. You can simply overwrite the rule looking for repeated attempts from 
the same IP and increase the timeframe option to hours instead of 
minutes.


> Note the timestamps.
> If I look the other way round (tries to one account) I'll get
> 
> Jul 25 01:30:48 irams1 dovecot: auth-worker(11276):
> pam(endsulei,60.166.12.117,<slp6mhhViI48pgx1>): unknown user
> Jul 25 01:31:26 irams1 dovecot: auth-worker(11276):
> pam(endsulei,222.243.211.200,<s0+6nBhVabHe89PI>): unknown user
> Jul 25 13:29:22 irams1 dovecot: auth-worker(4745):
> pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user
> Jul 25 13:30:27 irams1 dovecot: auth-worker(4747):
> pam(endsulei,222.84.118.83,<kaE1qCJVn7neVHZT>): unknown user
> Jul 25 16:10:47 irams1 dovecot: auth-worker(4250):
> pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user
> Jul 25 16:11:45 irams1 dovecot: auth-worker(5933):
> pam(endsulei,206.214.0.120,<R5H56CRVdJfO1gB4>): unknown user
> 
> Also note the timestamps!

In this case, it looks like it's coming from several different IPs. If 
the IPs are in geographic regions which should never have a need to log 
in, you can deny them preemptively in rules.

You can also simply look for any attempt to authenticate to an unknown 
user and block that. It would be interesting to try to figure out a way 
to look for deviations from the normal naming convention, or perhaps try 
to identify something that looks random.

There are other options, as well. You can set up a CDB list with known 
bad IPs and populate them from threat lists of your choice.

All around, I think you'll find it much more capable and robust than 
fail2ban.

Disclaimer: I wrote the OSSEC Dovecot ruleset several years ago. I don't 
know if it is current (but I think it is being maintained).

More information about the dovecot mailing list