ot: how to block persistent same invalid account, different IPs
"Voytek Eymont"I've installed fail2ban, it seems to be working as it identified my failed test logins, BUT, my question is: what can I do when I see same invalid name trying to login to dovecot, different IP each time, how can I say block each IP as used by this name ? If each IP is only used once in a long while, what would be the point? In general, distributed attacks are very hard to stop if you have a default accept stance. I've observed that most of the attacks to my site are from the enormous Chinese stated owned public network superblocks. I finally got sick of them so I now spiral these IMAP/POP connections into the Scharwzschild radius of my firewall. It's a prophylactic measure and not a reactive system like fail2ban, and may not work for you if you got road warriors that frequent that part of the world. However, it did get rid of a metric ton of BFD connections. Joseph Tam
Re: ot: how to block persistent same invalid account, different IPs
On 2017-12-22 13:23, Jeff Abrahamson wrote: fail2ban isn't really the right tool to fight massive DDOS attacks. On the other hand, you don't seem to have that problem, so things work out maybe. It's cleaner to know the future and ban the right things at the right times, but is there real harm from people trying bad logins from different IP's and you just wait for fail2ban to block each one? Your log snippet covers 151 minutes, even fail2ban would normally have unjailed ip's after that much time. https://wiki2.dovecot.org/Authentication/Policy https://github.com/PowerDNS/weakforced works much better imho.
Re: ot: how to block persistent same invalid account, different IPs
On 22/12/17 11:41, Voytek Eymont wrote: I've installed fail2ban, it seems to be working as it identified my failed test logins, BUT, my question is: what can I do when I see same invalid name trying to login to dovecot, different IP each time, how can I say block each IP as used by this name ? or it that a bad idea ? I can see two persistent attempts as so: I don't have such user 'ignacio' or 'julian' # grep ignacio.munoz /var/log/dovecot.log | wc 1783436 35624 # grep ignacio.munoz /var/log/dovecot.log | grep 'auth fail' | wc 1783436 35624 # grep julian /var/log/dovecot.log | wc 1783432 34321 # grep julian /var/log/dovecot.log | grep 'auth fail' | wc 1783432 34321 last 6 tries, sometimes have just : , sometimes, with tld Dec 22 17:00:33 imap-login: Info: Disconnected (auth failed, 1 attempts in 8 secs): user=, method=PLAIN, rip=157.122.183.218, lip=163.47.110.6, TLS, session= Dec 22 17:01:06 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=60.172.162.2, lip=163.47.110.6, TLS, session= Dec 22 18:58:26 imap-login: Info: Disconnected (auth failed, 1 attempts in 10 secs): user= , method=PLAIN, rip=60.30.224.189, lip=163.47.110.6, TLS: Disconnected, session= Dec 22 18:58:59 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=220.164.2.138, lip=163.47.110.6, TLS: Disconnected, session= Dec 22 19:30:28 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user= , method=PLAIN, rip=113.8.194.3, lip=163.47.110.6, TLS, session= Dec 22 19:31:09 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=, method=PLAIN, rip=58.210.119.226, lip=163.47.110.6, TLS, session= fail2ban isn't really the right tool to fight massive DDOS attacks. On the other hand, you don't seem to have that problem, so things work out maybe. It's cleaner to know the future and ban the right things at the right times, but is there real harm from people trying bad logins from different IP's and you just wait for fail2ban to block each one? Your log snippet covers 151 minutes, even fail2ban would normally have unjailed ip's after that much time. -- Jeff Abrahamson +33 6 24 40 01 57 +44 7920 594 255 https://www.p27.eu/jeff/ purple.com -> p27.eu
ot: how to block persistent same invalid account, different IPs
I've installed fail2ban, it seems to be working as it identified my failed test logins, BUT, my question is: what can I do when I see same invalid name trying to login to dovecot, different IP each time, how can I say block each IP as used by this name ? or it that a bad idea ? I can see two persistent attempts as so: I don't have such user 'ignacio' or 'julian' # grep ignacio.munoz /var/log/dovecot.log | wc 1783436 35624 # grep ignacio.munoz /var/log/dovecot.log | grep 'auth fail' | wc 1783436 35624 # grep julian /var/log/dovecot.log | wc 1783432 34321 # grep julian /var/log/dovecot.log | grep 'auth fail' | wc 1783432 34321 last 6 tries, sometimes have just : , sometimes, with tld Dec 22 17:00:33 imap-login: Info: Disconnected (auth failed, 1 attempts in 8 secs): user=, method=PLAIN, rip=157.122.183.218, lip=163.47.110.6, TLS, session= Dec 22 17:01:06 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=60.172.162.2, lip=163.47.110.6, TLS, session= Dec 22 18:58:26 imap-login: Info: Disconnected (auth failed, 1 attempts in 10 secs): user= , method=PLAIN, rip=60.30.224.189, lip=163.47.110.6, TLS: Disconnected, session= Dec 22 18:58:59 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=220.164.2.138, lip=163.47.110.6, TLS: Disconnected, session= Dec 22 19:30:28 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user= , method=PLAIN, rip=113.8.194.3, lip=163.47.110.6, TLS, session= Dec 22 19:31:09 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=, method=PLAIN, rip=58.210.119.226, lip=163.47.110.6, TLS, session= -- Voytek