Hi Joseph
On 07/24/2017 04:51 AM, Joseph Tam wrote:> You are essentially writing your own
backend by taking over
> authentication. You'll be accepting user/password inputs into your
> checkpassword executable, then use the LDAP API (or some other system...snip
> and source address, which will
As per my post: checkpassword. You can then use one password on Mondays,
Wednesdays, and Fridays, alternate passwords on Tuesdays and Thursday
fetched from a rot-13 database, and only from prime numbered IP addresses
on weekends, if that's what you want.
Having read the wiki page on
Hi Joseph,
On 07/21/2017 10:17 PM, Joseph Tam wrote:
As per my post: checkpassword. You can then use one password on Mondays,
Wednesdays, and Fridays, alternate passwords on Tuesdays and Thursday
fetched from a rot-13 database, and only from prime numbered IP addresses
on weekends, if that's
mj wrote:
- for external users, to ONLY be allowed to use an application specific
password. (or username and password, fine as well)
Step one: making ldap password authentication valid only from our
internal network. I though: using allow_nets=192.168.1.0/24 for that
On 21/07/2017 04:03, mj wrote:
Hi Robert,
i dont understand why you focused on that ldap strings
fail2ban should trigger on some "Authentication failure" regex in the
related syslog
perhaps this will help to make it more clear
http://www.stefan-seelmann.de/wiki/fail2ban#postfix-and-dovecot
Not applicable to most installations, but I use geographical filtering on all
ports other than 25. Fine if you are the only user of the email system. I don't
block countries where I will send and retrieve email. I augment this with a
small blocking list of IP space where I'm OK if they read my
I would like to create a fail2ban filer, that scans for these lines:
Jul 20 11:10:09 auth: Info: ldap(user1,60.166.35.162,):
invalid credentials (given password: password)
Jul 20 11:10:19 auth: Info: ldap(user2,61.53.66.4,): invalid
credentials (given password: password)
On 07/20/2017 08:47 PM, Robert Schetterer wrote:
Ok I understand, not a bad idea, report how it works for you
That "report how it works for you" was exactly why I posted the fail2ban
failregex back to the list. :-) So others can use it too.
It works fantastic, and I ombined it now with
Am 20.07.2017 um 20:03 schrieb mj:
> Hi Robert,
>
>> i dont understand why you focused on that ldap strings
>> fail2ban should trigger on some "Authentication failure" regex in the
>> related syslog
>>
>> perhaps this will help to make it more clear
>>
>>
Hi Robert,
i dont understand why you focused on that ldap strings
fail2ban should trigger on some "Authentication failure" regex in the
related syslog
perhaps this will help to make it more clear
http://www.stefan-seelmann.de/wiki/fail2ban#postfix-and-dovecot
Yes, but I have that as well.
Am 20.07.2017 um 12:28 schrieb mj:
> I have concoted something that seems to work. And for the archives, this
> is it:
>
>> failregex = auth: Info: ldap\(.+,,.+\): invalid credentials
>> \(given password: .+ssword\)
>> auth: Info: ldap\(.+,,.+\): invalid credentials
>> \(given
I have concoted something that seems to work. And for the archives, this
is it:
failregex = auth: Info: ldap\(.+,,.+\): invalid credentials \(given
password: .+ssword\)
auth: Info: ldap\(.+,,.+\): invalid credentials \(given
password: 1qaz2wsx\)
auth: Info:
On 20.07.2017 12:16, mj wrote:
> Hi all,
>
> If I may, one more question on this subject:
>
> I would like to create a fail2ban filer, that scans for these lines:
>
>> Jul 20 11:10:09 auth: Info:
>> ldap(user1,60.166.35.162,): invalid credentials
>> (given password: password)
>> Jul 20 11:10:19
Hi all,
If I may, one more question on this subject:
I would like to create a fail2ban filer, that scans for these lines:
Jul 20 11:10:09 auth: Info: ldap(user1,60.166.35.162,):
invalid credentials (given password: password)
Jul 20 11:10:19 auth: Info:
mj writes:
However, it seems almost all IPs are different, and I don't think I can
keep the above settings permanently.
Why not? Limited by firewall rules overload? You could probably use
a persistent DB, can't you?
I meant: keep the "block after the first failed
Hi everybody,
Thanks very much for the kind advises given yesterday and today.
I have now implemented the blocklist on
* http://list.blocklist.de/lists/all.txt
using the scripts here:
* https://forum.blocklist.de/viewtopic.php?f=11=84#
(a combi of bash and php)
For now, my server appears to
Hi Robert,
On 07/18/2017 11:43 PM, Robert Schetterer wrote:
i guess not, but typical bots arent using ssl, check it
however fail2ban sometimes is to slow
I have configured dovecot with
auth_failure_delay = 10 secs
I hope that before the 10 sec are over, dovecot will have logged about
the
Am 18.07.2017 um 22:53 schrieb mj:
> Hi Robert,
>
> On 07/18/2017 10:15 PM, mj wrote:
>> Robert, your iptables suggestions are _very_ interesting! However,
>> will they also work on imaps/993, because of the ssl?
>
> I have adjusted and put into place your iptables suggestion like this:
>>
Am 18.07.2017 um 22:15 schrieb mj:
> Hi,
>
> Thanks for the quick follow-ups! Much appreciated. After posting this, I
> immediately started working on fail2ban. And between my initial posting
> and now, fail2ban already blocked 114 IPs.
>
> I have fail2ban with maxretry=1 and bantime=1800
>
>
Hi Robert,
On 07/18/2017 10:15 PM, mj wrote:
Robert, your iptables suggestions are _very_ interesting! However, will
they also work on imaps/993, because of the ssl?
I have adjusted and put into place your iptables suggestion like this:
iptables -I INPUT -p tcp --dport 143 -m string --algo
On Tuesday 18 July 2017 22:15:24 mj wrote:
> Hi,
>
> Thanks for the quick follow-ups! Much appreciated. After posting this, I
> immediately started working on fail2ban. And between my initial posting
> and now, fail2ban already blocked 114 IPs.
>
> I have fail2ban with maxretry=1 and
Hi,
Thanks for the quick follow-ups! Much appreciated. After posting this, I
immediately started working on fail2ban. And between my initial posting
and now, fail2ban already blocked 114 IPs.
I have fail2ban with maxretry=1 and bantime=1800
However, it seems almost all IPs are different,
Am 18.07.2017 um 21:44 schrieb mj:
> Hi all,
>
> It seems we are under some kind of password guessing attack:
>
>> Jul 18 21:33:33 auth: Info:
>> ldap(username1,103.6.223.61,): invalid credentials
>> (given password: 1q2w3e4r5t)
>> Jul 18 21:34:16 auth: Info:
>>
Welcome to the world of mail admin...
On 7/18/2017, 3:44:20 PM, mj wrote:
> Hi all,
>
> It seems we are under some kind of password guessing attack:
>
>> Jul 18 21:33:33 auth: Info: ldap(username1,103.6.223.61,):
>> invalid credentials (given password: 1q2w3e4r5t)
>> Jul
Hi all,
It seems we are under some kind of password guessing attack:
Jul 18 21:33:33 auth: Info: ldap(username1,103.6.223.61,):
invalid credentials (given password: 1q2w3e4r5t)
Jul 18 21:34:16 auth: Info: ldap(username1,221.4.61.180,<89WnmZxUrADdBD20>):
invalid credentials (given password:
25 matches
Mail list logo