under another kind of attack
Olaf Hopp
Olaf.Hopp at kit.edu
Thu Jul 27 10:40:13 EEST 2017
On 07/27/2017 05:19 AM, James Brown wrote:
>
>> On 26 Jul 2017, at 7:57 pm, Olaf Hopp <Olaf.Hopp at kit.edu> wrote:
>>
>> Dear collegues,
>>
>> many thanks for your valuable input.
>>
>> Since we are an university GEO-IP blocking is not an option for us.
>> Somestimes I think it should ;-)
>>
>> My "mistake" was that I had just *one* fail2ban filter for both cases:
>> "wrong password" and "unknown user".
>>
>> Now I have two distinct jails:
>> The first one just for "wrong password" and here the findtime, bantime, retries
>> are tolerant to typos.
>>
>> And I have a new one just for "unknown user" and here my bantime and findtime
>> are much bigger and the retries are just '2'. So here I'm much harsher.
>> I'll keep an eye on my logs and maybe some more twaeking is necessary.
>>
>> Another interesting observation:
>> I activated
>> auth_verbose_passwords = plain
>> to log the plain password when (and only when) there is "unknown user".
>> It reveals that all different IPs trying one unknown account always try with the
>> same stupid password scheme <ACCOUNT>1234. So this doesn't look very well
>> coordinated between the bots ;-)
>
> Olaf, how do you do this only for the unknown user?
>
> Can you share the Dovecot settings?
>
> I’m under the same sort of slow distributed attack.
>
> Also the two fail2ban jails would be helpful.
Nothing special in the dovecot config
/etc/fail2ban/jail.local
========================
[dovecot]
enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]
logpath = /var/log/dovecot
bantime = 600
findtime= 600
maxretry= 5
backend = auto
[dovecot_unknown]
ignoreip = X.X.X.0/24
enabled = true
filter = dovecot_unknown
action = iptables-multiport[name=dovecot_unknown, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]
logpath = /var/log/dovecot
bantime = 14400
findtime= 14400
maxretry= 2
backend = auto
/etc/fail2ban/filter.d/dovecot.local
=====================================
[INCLUDES]
before = common.conf
[Definition]
failregex = dovecot: auth-worker\(\d+\): pam\(.*,<HOST>,\<.*\>\): pam_authenticate\(\) failed: Authentication failure \(password mismatch\?\)
ignoreregex =
/etc/fail2ban/filter.d/dovecot_unknown.local
============================================
[INCLUDES]
before = common.conf
[Definition]
failregex = dovecot: auth-worker\(\d+\): pam\(.*,<HOST>,\<.*\>\): unknown user.*
ignoreregex =
The failregex lines may need adaption to your log format.
"fail2ban-regex" is your friend.
On my Dovecot 2.2.31 unknows user log lines are
Jul 26 14:58:56 irams1 dovecot: auth-worker(2822): pam(inikul,112.54.93.34,<TcVzAjhVMINwNl0i>): unknown user (given password: inikul2017)
and "wrong password" lines look like this
Jul 26 15:01:41 irams1 dovecot: auth-worker(3530): pam(johndoe,120.209.164.118,<r+xPDDhVGJh40aR2>): pam_authenticate() failed: Authentication failure (password mismatch?)
Regards, Olaf
--
Karlsruher Institut für Technologie (KIT)
ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik
Dipl.-Geophys. Olaf Hopp
- Leitung IT-Dienste -
Am Fasanengarten 5, Gebäude 50.34, Raum 009
76131 Karlsruhe
Telefon: +49 721 608-43973
Fax: +49 721 608-46699
E-Mail: Olaf.Hopp at kit.edu
atis.informatik.kit.edu
www.kit.edu
KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft
Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5304 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20170727/2c05fbfa/attachment.p7s>
More information about the dovecot
mailing list