under another kind of attack

Wed Jul 26 12:57:47 EEST 2017

Dear collegues,

many thanks for your valuable input.

Since we are an university GEO-IP blocking is not an option for us.
Somestimes I think it should ;-)

My "mistake" was that I had just *one* fail2ban filter for both cases:
"wrong password" and "unknown user".

Now I have two distinct jails:
The first one just for "wrong password" and here the findtime, bantime, retries
are tolerant to typos.

And I have a new one just for "unknown user" and here my bantime and findtime
are much bigger and the retries are just '2'. So here I'm much harsher.
I'll keep an eye on my logs and maybe some more twaeking is necessary.

Another interesting observation:
I activated
auth_verbose_passwords = plain
to log the plain password when (and only when) there is "unknown user".
It reveals that all different IPs trying one unknown account always try with the
same stupid password scheme <ACCOUNT>1234. So this doesn't look very well
coordinated between the bots ;-)

Regards,
Olaf

On 07/25/2017 04:37 PM, Olaf Hopp wrote:
> Hi folks,
> 
> "somehow" similar to the thread "under some kind oof attack" started by "MJ":
> 
> I have dovecot shielded by fail2ban which works fine.
> But since a few days I see many many IPs per day knocking on
> my doors with wron password and/or users. But the rate at which they are knocking
> is very very low. So fail2ban will never catch them.
> 
> For example one IP:
> 
> Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): pam(eurodisc,101.231.247.210,<gAulHSNVsNZl5/fS>): unknown user
> Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): pam(gergei,101.231.247.210,<dPzYIyRVtOpl5/fS>): pam_authenticate() failed: Authentication failure (password mismatch?)
> Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): pam(icpe,101.231.247.210,<Ws6t3iRVkOhl5/fS>): unknown user
> Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user
> 
> Note the timestamps.
> If I look the other way round (tries to one account) I'll get
> 
> Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): pam(endsulei,60.166.12.117,<slp6mhhViI48pgx1>): unknown user
> Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): pam(endsulei,222.243.211.200,<s0+6nBhVabHe89PI>): unknown user
> Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user
> Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): pam(endsulei,222.84.118.83,<kaE1qCJVn7neVHZT>): unknown user
> Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user
> Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): pam(endsulei,206.214.0.120,<R5H56CRVdJfO1gB4>): unknown user
> 
> Also note the timestamps!
> 
> And I see many many distinct IPs per day (a few hundred) trying many many existing and non-existings accounts.
> As you see in the timestamps in my examples, this can not be handled by fail2ban without affecting
> regular users with typos.
> Is anybody observing something similar ?
> Anybody an idea against this ?
> Many of these observed IPs are chinese mobile IPs, if this matters. But we have also chinese students and
> researchers all abroad.
> 
> 
> Regards,
> Olaf
> 

-- 
Karlsruher Institut für Technologie (KIT)
ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik

Dipl.-Geophys. Olaf Hopp
- Leitung IT-Dienste -

Am Fasanengarten 5, Gebäude 50.34, Raum 009
76131 Karlsruhe
Telefon: +49 721 608-43973
Fax: +49 721 608-46699
E-Mail: Olaf.Hopp at kit.edu
atis.informatik.kit.edu

www.kit.edu

KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5304 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20170726/a0360d76/attachment.p7s>