Re: [Fail2ban-users] Any protection against multiple IPs using the same username ?

Sun, 11 Feb 2018 08:40:27 -0800 

F2b can't do anything against this type of attack as the IP's rarely repeat.
If you want a bit of security through obscurity, turn off authentication on port 25 and configure your users to use SMPTS (tcp:465) or STARTTLS (tcp:587). There is much less bot traffic on those ports. 

Nick

On 11/02/2018 15:17, chaouche yacine via Fail2ban-users wrote:

Dear list,

I was surprised to find this in one of my script's live output :

Feb 11 16:01:16 radiomiti...@mydomain.tld 104.131.92.159:
Feb 11 16:01:19 radiomiti...@mydomain.tld 81.91.92.176:
Feb 11 16:01:21 radiomiti...@mydomain.tld 213.136.88.68:
Feb 11 16:01:25 radiomiti...@mydomain.tld 132.148.21.197:
Feb 11 16:01:28 radiomiti...@mydomain.tld 91.121.136.82:
Feb 11 16:01:31 radiomiti...@mydomain.tld 70.32.72.249:
Feb 11 16:01:33 radiomiti...@mydomain.tld 88.198.177.200:
Feb 11 16:01:37 radiomiti...@mydomain.tld 132.148.22.72:
Feb 11 16:01:40 radiomiti...@mydomain.tld 185.14.28.209:
Feb 11 16:01:47 radiomiti...@mydomain.tld 185.14.28.209:
Feb 11 16:01:50 radiomiti...@mydomain.tld 31.186.8.165:
Feb 11 16:01:52 radiomiti...@mydomain.tld 176.31.171.249:
Feb 11 16:01:55 radiomiti...@mydomain.tld 174.142.254.4:
Feb 11 16:01:58 radiomiti...@mydomain.tld 173.249.5.133:
Feb 11 16:02:04 radiomiti...@mydomain.tld 103.1.239.204:
Feb 11 16:02:10 radiomiti...@mydomain.tld 115.146.127.53:
Feb 11 16:02:13 radiomiti...@mydomain.tld 80.87.200.146:
Feb 11 16:02:17 radiomiti...@mydomain.tld 50.62.82.236:
Feb 11 16:02:20 radiomiti...@mydomain.tld 158.222.0.202:
Feb 11 16:02:24 radiomiti...@mydomain.tld 89.219.33.110:
Feb 11 16:02:26 radiomiti...@mydomain.tld           37.59.8.29:
Feb 11 16:02:28 radiomiti...@mydomain.tld 85.25.213.84:
Feb 11 16:02:31 radiomiti...@mydomain.tld 185.95.85.159:
Feb 11 16:02:33 radiomiti...@mydomain.tld 146.185.160.102:
Feb 11 16:02:35 radiomiti...@mydomain.tld 94.23.93.101:
Feb 11 16:02:38 radiomiti...@mydomain.tld 104.236.206.7:
Feb 11 16:02:41 radiomiti...@mydomain.tld 194.150.118.6:
Feb 11 16:02:44 radiomiti...@mydomain.tld 212.109.221.24:
Feb 11 16:02:46 radiomiti...@mydomain.tld 146.185.157.149:
Feb 11 16:02:48 radiomiti...@mydomain.tld 62.75.202.128:
Feb 11 16:02:51 radiomiti...@mydomain.tld 193.203.206.3:
Feb 11 16:02:55 radiomiti...@mydomain.tld 208.107.4.149:
Feb 11 16:02:57 radiomiti...@mydomain.tld 173.212.252.117:
Feb 11 16:03:01 radiomiti...@mydomain.tld 38.109.217.143:
Feb 11 16:03:04 radiomiti...@mydomain.tld           5.2.209.70:
Feb 11 16:03:10 radiomiti...@mydomain.tld 101.99.65.25:
Feb 11 16:03:12 radiomiti...@mydomain.tld 91.121.85.220:
Feb 11 16:03:15 radiomiti...@mydomain.tld 83.220.174.125:
Feb 11 16:03:19 radiomiti...@mydomain.tld 173.203.58.135:
Feb 11 16:03:21 radiomiti...@mydomain.tld 144.76.60.149:
Feb 11 16:03:24 radiomiti...@mydomain.tld 37.46.131.252:
Feb 11 16:03:30 radiomiti...@mydomain.tld 221.132.35.142:
Feb 11 16:03:32 radiomiti...@mydomain.tld 46.4.122.252:
Feb 11 16:03:36 radiomiti...@mydomain.tld 64.91.251.84:
Feb 11 16:03:39 radiomiti...@mydomain.tld 94.181.191.195:
Feb 11 16:03:42 radiomiti...@mydomain.tld           216.27.29.7:
Feb 11 16:03:44 radiomiti...@mydomain.tld 176.31.182.14:
Feb 11 16:03:48 radiomiti...@mydomain.tld           47.22.0.41:
Feb 11 16:03:50 radiomiti...@mydomain.tld 188.166.112.173:
Feb 11 16:03:53 radiomiti...@mydomain.tld 62.109.23.50:
Feb 11 16:03:59 radiomiti...@mydomain.tld 210.211.118.171:
Feb 11 16:04:02 radiomiti...@mydomain.tld 176.57.209.53:
Feb 11 16:04:04 radiomiti...@mydomain.tld 37.97.198.103:
Feb 11 16:04:10 radiomiti...@mydomain.tld 221.132.35.142:
Feb 11 16:04:16 radiomiti...@mydomain.tld 163.44.206.185:
Feb 11 16:04:19 radiomiti...@mydomain.tld 184.173.181.142:
Feb 11 16:04:24 radiomiti...@mydomain.tld 198.12.149.197:
Feb 11 16:04:27 radiomiti...@mydomain.tld 213.159.208.254:
Feb 11 16:04:30 radiomiti...@mydomain.tld 198.50.145.221:
Feb 11 16:04:36 radiomiti...@mydomain.tld 190.13.128.146:
Feb 11 16:04:41 radiomiti...@mydomain.tld 139.196.229.151:
Feb 11 16:04:43 radiomiti...@mydomain.tld           176.9.122.132:
It was generated in realtime by ychaouche/mailcop <https://github.com/ychaouche/mailcop> 



        

        


    ychaouche/mailcop

mailcop - Watches your mail server
        

<https://github.com/ychaouche/mailcop>
As you can see there are multiple IPs involved, it seems to be some kind of distributed attack. Is there any way I can protect my server against this ? 

Yassine.





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to