lua policy for Weakforce and web mail failed login attempts

Robert Kudyba rkudyba at fordham.edu
Fri Mar 15 22:30:00 EET 2019 

The good news is I believe I got Weakforce running
1) curl -X GET http://127.0.0.1:8084/?command=ping -u wforce:ourpassword
{"status":"ok"}[

2) after running the sample for loop:
for a in {1..101};   do     curl -X POST -H "Content-Type:
application/json" --data '{"login":"ahu", "remote": "127.0.0.1",
"pwhash":"1234'$a'", "success":"false"}'
http://127.0.0.1:8084/?command=report -u wforce:ourpassword;   done

The result is:

{"status":"ok"}{"status":"ok"}{"status":"ok"}{

3) So checking the stats:

curl -X POST -H "Content-Type: application/json" --data
'{"ip":"127.0.0.1"}' http://127.0.0.1:8084/?command=getDBStats -u
wforce:ourpassword

{"bl_expire": "", "bl_reason": "", "blacklisted": false, "ip": "127.0.0.1",
"stats": {"OneHourDB": {"diffFailedPasswords": 93}}}

Notice the 93.

4) the reset works but I believe there's a bug in Getdbstats v2.0.0 where
"blacklisted" is always shown:
curl -X POST -H "Content-Type: application/json" --data
'{"ip":"127.0.0.1"}' http://127.0.0.1:8084/?command=getDBStats -u
wforce:ourpassword

{"bl_expire": "", "bl_reason": "", "blacklisted": false, "ip": "127.0.0.1",
"stats": {"OneHourDB": {"diffFailedPasswords": 0}}}[

5)
wforce -c
Read configuration from '/usr/local/etc/wforce.conf'
Connecting to 127.0.0.1:4004
> stats()
101 reports, 0 allow-queries (0 denies)

The 3 big questions I have:
a: how do I know IP's are being banned/rejected? Is there an alert creation
or a way to see in the logs that the rules are in affect?
b: since I installed via Git and ran "make" how to I get wforce --daemon to
start on reboot? Is there a systemd file available?
c: How do I create a lua policy that would catch these web dovecot login
attempts?

Feb 27 08:19:53 ourserver auth[15085]: pam_unix(dovecot:auth): check pass;
user unknown
Feb 27 08:19:53 ourserver auth[15085]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=
user at ourserver.ourdomain.edu rhost=177.72.0.158
Feb 27 08:20:35 ourserver auth[15085]: pam_unix(dovecot:auth): check pass;
user unknown
Feb 27 08:20:35 ourserver auth[15085]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user
rhost=213.156.111.236
Feb 27 08:27:07 ourserver auth[16831]: pam_unix(dovecot:auth): check pass;
user unknown
Feb 27 08:27:07 ourserver auth[16831]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=
nobody at ourserver.ourdomain.edu rhost=79.106.35.59
Feb 27 08:27:27 ourserver auth[16831]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=nobody
rhost=95.38.212.65  user=nobody
Feb 27 08:27:27 ourserver auth[16831]: pam_succeed_if(dovecot:auth):
requirement "uid >= 1000" not met by user "nobody"
Feb 27 08:31:12 ourserver auth[17875]: pam_unix(dovecot:auth): check pass;
user unknown
Feb 27 08:31:12 ourserver auth[17875]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=
ouruser at ourserver.ourdomain.edu rhost=80.78.70.1
Feb 27 08:31:33 ourserver auth[17875]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=ouruser
rhost=45.225.236.198  user=ouruser
Feb 27 09:32:22 ourserver auth[32689]: pam_unix(dovecot:auth): check pass;
user unknown
Feb 27 09:32:22 ourserver auth[32689]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=
nobody at ourserver.ourdomain.edu rhost=37.205.81.41
Feb 27 09:32:42 ourserver auth[32689]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=nobody
rhost=201.148.100.198  user=nobody
Feb 27 09:32:42 ourserver auth[32689]: pam_succeed_if(dovecot:auth):
requirement "uid >= 1000" not met by user "nobody"
Feb 27 09:44:09 ourserver auth[3271]: pam_unix(dovecot:auth): check pass;
user unknown
Feb 27 09:44:09 ourserver auth[3271]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=
otheruser at ourserver.ourdomain.edu rhost=177.69.145.193
Feb 27 09:44:35 ourserver auth[3271]: pam_unix(dovecot:auth): check pass;
user unknown
Feb 27 09:44:35 ourserver auth[3271]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=otheruser
rhost=175.143.51.221
Feb 27 09:47:32 ourserver auth[4048]: pam_unix(dovecot:auth): check pass;
user unknown
Feb 27 09:47:32 ourserver auth[4048]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=
yetanotheruser at ourserver.ourdomain.edu rhost=162.245.81.231
Feb 27 09:47:56 ourserver auth[4048]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot
ruser=yetanotheruser rhost=83.243.88.236  user=yetanotheruser
Feb 27 20:44:41 ourserver auth[5828]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=ouruser
rhost=166.171.184.200  user=ouruser
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190315/d7a4485f/attachment.html>

More information about the dovecot mailing list