At 06:46 AM 3/19/2019, Marcio Vogel Merlone dos Santos wrote:
Content-Type: multipart/alternative;
boundary="------------ED186ACA71AF6AA461515FDF"
Content-Language: en-US
I am very limited in time, but I'm in. Where do we start?
I posted this a few weeks back, looking to fine-tune a honeypot
configuration.. Here's what I proposed:
I am seeing various entries in my secure log like:
Mar 3 05:23:58 sd2 auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot
[email protected] rhost=178.252.80.73
Mar 3 05:23:58 sd2 auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot
[email protected] rhost=178.252.80.73
Mar 3 05:23:58 sd2 auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot
[email protected] rhost=178.252.80.73
All of these are invalid attempts to probe IMAP/POP3 obviously.
What I want to do is create a set of rules that ban IPs based, after
one try, on certain login credentials they're using for
Dovecot. The rules would follow these basic steps:
1. Ban any failed POP3/IMAP attempt to login attempt using the name
"svetlana" prefix (I don't have anybody by that name on my server,
and I can see a bot is adding extra numbers and random domains,
presumably to prove for other vulnerabilities during login)
2. Ban any instance of a login attempt of webmaster@(any domain)
since any accounts like that are aliases and not actual mailboxes.
3. Ban any instance of a login attempt of
[email protected] because that domain is either not mapped
to this server, or has no IMAP/POP3 accounts associated with it.
Am I correct in assuming that in order to do this, I can do the
following steps?
1. copy filter.d/dovecot.conf to another name like
filter.d/dovecot-honeypot.conf
2. then make a copy of the [dovecot] configuration in jail.local
but rename [dovecot] to [dovecot-honeypot] and tweak bantime appropriately
3. modify filter.d/dovecot-honeypot.conf and make these the rules
under failregex =:
^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=svetlana\S*
rhost=<HOST>(?:\s+user=\S*)?\s*$
^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot
ruser=webmaster@\S* rhost=<HOST>(?:\s+user=\S*)?\s*$
^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot
ruser=\S*@specificdomain.com rhost=<HOST>(?:\s+user=\S*)?\s*$
Would this be the proper approach towards implementing this
additional filter?
Am I leaving something out?
Is there anything else I need to consider?
Thanks!
- Mike
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
