Scanning for a research project by sba-research.org had negative impact on our server recently, twice. From our point of view, it looked like a Denial-of-Service attack. One of their senior researchers told me they use a tool call sslyze. While I have added their IP address (scan.sba-research.org) to the drop list on the server and on our edge router, that will not stop others using the same tool, nor sba-research if they perform IP renumbering. Hence, this jail and filter, which might be useful if you use uw-imap. Obviously you could adapt this for other POP/IMAP servers.
As always, your mileage may differ. Read and consider carefully all label instructions. Regards, Ken ######################################## Jail ######################################## ## ## modified from uw-imap jail ## implemented after sslyze scans from sba-research.org ## caused problems for us. Note the largish maxretry ## and short findtime -- sba-research sent 100's of ## connection attempts in 10 seconds. ## [sslyze] enabled = true port = pop3,pop3s,imap,imaps filter = sslyze banaction = iptables-multiport[name=UW-IMAP, port="pop3,pop3s,imap,imaps", protocol=tcp] logpath = /var/log/mail.log maxretry = 20 findtime = 10 bantime = 36000 ######################################### Filter ######################################### ## Lifted from https://github.com/fail2ban/fail2ban/issues/18, ## Modified to protect against 'research' with sslyze. ## Tested by KLJ with fail2ban-regex against local log files ## fail2ban-regex sslyze.log sslyze.conf ## # Fail2Ban configuration file # # Props: Amir Caspi # # $Revision: 1 $ [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = /etc/fail2ban/filter.d/common.conf [Definition] _daemon = (?:ipop3d|imapd) # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = ^%(__prefix_line)sAutologout user=\?\?\? host=.*\[<HOST>\]\s*$ ^%(__prefix_line)sLogout user=\?\?\? host=.*\[<HOST>\]\s*$ ^%(__prefix_line)sMissing command before authentication host=.*\[<HOST>\]\s*$ ^%(__prefix_line)sNull command before authentication host=.*\[<HOST>\]\s*$ ^%(__prefix_line)s(imaps|pop3s) SSL service init from <HOST>\s*$ ^%(__prefix_line)sUnable to accept SSL connection, host=.*\[<HOST>\]\s*$ ^%(__prefix_line)sUnexpected client disconnect, while reading line user=\?\?\? host=.*\[<HOST>\]\s*$ ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
