On 04-03-19 00:01, Mike wrote:
I am seeing various entries in my secure log like:
Mar 3 05:23:58 sd2 auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot
[email protected] rhost=178.252.80.73
Mar 3 05:23:58 sd2 auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot [email protected]
rhost=178.252.80.73
Mar 3 05:23:58 sd2 auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot [email protected]
rhost=178.252.80.73
All of these are invalid attempts to probe IMAP/POP3 obviously.
What I want to do is create a set of rules that ban IPs based, after one
try, on certain login credentials they're using for Dovecot. The rules
would follow these basic steps:
1. Ban any failed POP3/IMAP attempt to login attempt using the name
"svetlana" prefix (I don't have anybody by that name on my server, and
I can see a bot is adding extra numbers and random domains, presumably
to prove for other vulnerabilities during login)
2. Ban any instance of a login attempt of webmaster@(any domain) since
any accounts like that are aliases and not actual mailboxes.
3. Ban any instance of a login attempt of [email protected]
because that domain is either not mapped to this server, or has no
IMAP/POP3 accounts associated with it.
Am I correct in assuming that in order to do this, I can do the
following steps?
1. copy filter.d/dovecot.conf to another name like
filter.d/dovecot-honeypot.conf
2. then make a copy of the [dovecot] configuration in jail.local but
rename [dovecot] to [dovecot-honeypot] and tweak bantime appropriately
3. modify filter.d/dovecot-honeypot.conf and make these the rules under
failregex =:
^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=svetlana\S*
rhost=<HOST>(?:\s+user=\S*)?\s*$
^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=webmaster@\S*
rhost=<HOST>(?:\s+user=\S*)?\s*$
^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot
ruser=\S*@specificdomain.com rhost=<HOST>(?:\s+user=\S*)?\s*$
Would this be the proper approach towards implementing this additional
filter?
This list quickly grows in an unreadable mess, with a regex for each
name. Since you're already using regexes, why don't you use something like:
^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot
ruser=(svetlana|webmaster|another)@\S* rhost=<HOST>(?:\s+user=\S*)?\s*$
^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot
ruser=\S*@(specificdomain.com|example.org|anotherexample.com)
rhost=<HOST>(?:\s+user=\S*)?\s*$
I.e. one regex for all user parts before the @, and one other regex for
all domains you want to block.
Am I leaving something out?
Is there anything else I need to consider?
You're talking about honeypot here, but most people think aboout a
different kind of setup when they read 'honeypot setup', so be careful
in your naming.
Thanks!
- Mike
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
