Re: under some kind of attack

Hi Joseph On 07/24/2017 04:51 AM, Joseph Tam wrote:> You are essentially writing your own backend by taking over > authentication. You'll be accepting user/password inputs into your > checkpassword executable, then use the LDAP API (or some other system...snip > and source address, which will

Re: under some kind of attack

As per my post: checkpassword. You can then use one password on Mondays, Wednesdays, and Fridays, alternate passwords on Tuesdays and Thursday fetched from a rot-13 database, and only from prime numbered IP addresses on weekends, if that's what you want. Having read the wiki page on

Re: under some kind of attack

Hi Joseph, On 07/21/2017 10:17 PM, Joseph Tam wrote: As per my post: checkpassword. You can then use one password on Mondays, Wednesdays, and Fridays, alternate passwords on Tuesdays and Thursday fetched from a rot-13 database, and only from prime numbered IP addresses on weekends, if that's

Re: under some kind of attack

mj wrote: - for external users, to ONLY be allowed to use an application specific password. (or username and password, fine as well) Step one: making ldap password authentication valid only from our internal network. I though: using allow_nets=192.168.1.0/24 for that

Re: under some kind of attack

On 21/07/2017 04:03, mj wrote: Hi Robert, i dont understand why you focused on that ldap strings fail2ban should trigger on some "Authentication failure" regex in the related syslog perhaps this will help to make it more clear http://www.stefan-seelmann.de/wiki/fail2ban#postfix-and-dovecot

Re: under some kind of attack

Not applicable to most installations, but I use geographical filtering on all ports other than 25. Fine if you are the only user of the email system. I don't block countries where I will send and retrieve email. I augment this with a small blocking list of IP space where I'm OK if they read my

Re: under some kind of attack

I would like to create a fail2ban filer, that scans for these lines: Jul 20 11:10:09 auth: Info: ldap(user1,60.166.35.162,): invalid credentials (given password: password) Jul 20 11:10:19 auth: Info: ldap(user2,61.53.66.4,): invalid credentials (given password: password)

Re: under some kind of attack

On 07/20/2017 08:47 PM, Robert Schetterer wrote: Ok I understand, not a bad idea, report how it works for you That "report how it works for you" was exactly why I posted the fail2ban failregex back to the list. :-) So others can use it too. It works fantastic, and I ombined it now with

Re: under some kind of attack

Am 20.07.2017 um 20:03 schrieb mj: > Hi Robert, > >> i dont understand why you focused on that ldap strings >> fail2ban should trigger on some "Authentication failure" regex in the >> related syslog >> >> perhaps this will help to make it more clear >> >>

Re: under some kind of attack

Hi Robert, i dont understand why you focused on that ldap strings fail2ban should trigger on some "Authentication failure" regex in the related syslog perhaps this will help to make it more clear http://www.stefan-seelmann.de/wiki/fail2ban#postfix-and-dovecot Yes, but I have that as well.

Re: under some kind of attack

Am 20.07.2017 um 12:28 schrieb mj: > I have concoted something that seems to work. And for the archives, this > is it: > >> failregex = auth: Info: ldap\(.+,,.+\): invalid credentials >> \(given password: .+ssword\) >> auth: Info: ldap\(.+,,.+\): invalid credentials >> \(given

Re: under some kind of attack

I have concoted something that seems to work. And for the archives, this is it: failregex = auth: Info: ldap\(.+,,.+\): invalid credentials \(given password: .+ssword\) auth: Info: ldap\(.+,,.+\): invalid credentials \(given password: 1qaz2wsx\) auth: Info:

Re: under some kind of attack

On 20.07.2017 12:16, mj wrote: > Hi all, > > If I may, one more question on this subject: > > I would like to create a fail2ban filer, that scans for these lines: > >> Jul 20 11:10:09 auth: Info: >> ldap(user1,60.166.35.162,): invalid credentials >> (given password: password) >> Jul 20 11:10:19

Re: under some kind of attack

Hi all, If I may, one more question on this subject: I would like to create a fail2ban filer, that scans for these lines: Jul 20 11:10:09 auth: Info: ldap(user1,60.166.35.162,): invalid credentials (given password: password) Jul 20 11:10:19 auth: Info:

Re: under some kind of attack

mj writes: However, it seems almost all IPs are different, and I don't think I can keep the above settings permanently. Why not? Limited by firewall rules overload? You could probably use a persistent DB, can't you? I meant: keep the "block after the first failed

Re: under some kind of attack

Hi everybody, Thanks very much for the kind advises given yesterday and today. I have now implemented the blocklist on * http://list.blocklist.de/lists/all.txt using the scripts here: * https://forum.blocklist.de/viewtopic.php?f=11=84# (a combi of bash and php) For now, my server appears to

Re: under some kind of attack

Hi Robert, On 07/18/2017 11:43 PM, Robert Schetterer wrote: i guess not, but typical bots arent using ssl, check it however fail2ban sometimes is to slow I have configured dovecot with auth_failure_delay = 10 secs I hope that before the 10 sec are over, dovecot will have logged about the

Re: under some kind of attack

Am 18.07.2017 um 22:53 schrieb mj: > Hi Robert, > > On 07/18/2017 10:15 PM, mj wrote: >> Robert, your iptables suggestions are _very_ interesting! However, >> will they also work on imaps/993, because of the ssl? > > I have adjusted and put into place your iptables suggestion like this: >>

Re: under some kind of attack

Am 18.07.2017 um 22:15 schrieb mj: > Hi, > > Thanks for the quick follow-ups! Much appreciated. After posting this, I > immediately started working on fail2ban. And between my initial posting > and now, fail2ban already blocked 114 IPs. > > I have fail2ban with maxretry=1 and bantime=1800 > >

Re: under some kind of attack

Hi Robert, On 07/18/2017 10:15 PM, mj wrote: Robert, your iptables suggestions are _very_ interesting! However, will they also work on imaps/993, because of the ssl? I have adjusted and put into place your iptables suggestion like this: iptables -I INPUT -p tcp --dport 143 -m string --algo

Re: under some kind of attack

On Tuesday 18 July 2017 22:15:24 mj wrote: > Hi, > > Thanks for the quick follow-ups! Much appreciated. After posting this, I > immediately started working on fail2ban. And between my initial posting > and now, fail2ban already blocked 114 IPs. > > I have fail2ban with maxretry=1 and

Re: under some kind of attack

Hi, Thanks for the quick follow-ups! Much appreciated. After posting this, I immediately started working on fail2ban. And between my initial posting and now, fail2ban already blocked 114 IPs. I have fail2ban with maxretry=1 and bantime=1800 However, it seems almost all IPs are different,

Re: under some kind of attack

Am 18.07.2017 um 21:44 schrieb mj: > Hi all, > > It seems we are under some kind of password guessing attack: > >> Jul 18 21:33:33 auth: Info: >> ldap(username1,103.6.223.61,): invalid credentials >> (given password: 1q2w3e4r5t) >> Jul 18 21:34:16 auth: Info: >>

Re: under some kind of attack

Welcome to the world of mail admin... On 7/18/2017, 3:44:20 PM, mj wrote: > Hi all, > > It seems we are under some kind of password guessing attack: > >> Jul 18 21:33:33 auth: Info: ldap(username1,103.6.223.61,): >> invalid credentials (given password: 1q2w3e4r5t) >> Jul

under some kind of attack

Hi all, It seems we are under some kind of password guessing attack: Jul 18 21:33:33 auth: Info: ldap(username1,103.6.223.61,): invalid credentials (given password: 1q2w3e4r5t) Jul 18 21:34:16 auth: Info: ldap(username1,221.4.61.180,<89WnmZxUrADdBD20>): invalid credentials (given password: