subject:"Re\: \[qmailtoaster\] fail2ban and 'null password given'"

Re: [qmailtoaster] fail2ban and 'null password given'

2019-06-03 Thread remo

Angus can you share your tweaks 

I use firewalld to check connections to the mail server and that works pretty 
well. 

> Il giorno 3 giu 2019, alle ore 07:18, Gary Bowling  ha scritto:
> 
> 
> Good reminder to check my fail2ban config. I did and found that it wasn't 
> running since moving my config over to Centos 7 and rebuilding my server. 
> 
> 
> 
> The systemctl status fail2ban.service gives me no information as to why it's 
> not starting nor do the logs.
> 
> 
> 
> So, I guess I need to do some more investigating as to why my service is not 
> starting. Any ideas would be helpful. I'm running the same configs as are 
> listed in the referenced wiki.
> 
> 
> 
> Gary
> 
> 
> 
>> On 6/3/2019 7:37 AM, Angus McIntyre wrote:
>> If you're smart, you're probably running 'fail2ban' (or something similar) 
>> on your qmailtoaster to block password-guessing attempts. You may also have 
>> used the rules given at: 
>> 
>> http://wiki.qmailtoaster.com/index.php/Fail2Ban 
>> 
>> to configure it. 
>> 
>> This morning I happened to check my logs and discovered a ridiculous number 
>> of password-guessing attempts from a single IP, all of which had apparently 
>> gone unblocked by fail2ban. It turned out that the attacker was sending an 
>> empty password string, so that the log lines looked something like: 
>> 
>>  vchkpw-submission: null password given phil:192.129.186.58 
>> 
>> There was no corresponding rule in my '/etc/fail2ban/filter.d/vpopmail.conf' 
>> to capture this case, so the attacker was able to try over and over again, 
>> unbanned. 
>> 
>> The attack script seems to be badly broken: it hits the same usernames over 
>> and over again, always with the same null password, and without even 
>> including the hostname part of the username (i.e. 'phil' rather than 
>> 'p...@example.com'), so I'd rate its chances of succeeding as minimal. 
>> Still, it'll inflate your log files, so you probably want to ban it. 
>> 
>> So you might want to consider tweaking your fail2ban configuration to ensure 
>> that the failregex in 'vpopmail.conf' successfully   matches 'null 
>> password given' as well as the default 'vpopmail user not found' string. 
>> 
>> Angus 
>> 
>> 
>> 
>> - 
>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 
>> 
>> 
> - To 
> unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For 
> additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] fail2ban and 'null password given'

2019-06-03 Thread Gary Bowling


  
  


Good reminder to check my fail2ban config. I did and found that
  it wasn't running since moving my config over to Centos 7 and
  rebuilding my server. 



The systemctl status fail2ban.service gives me no information as
  to why it's not starting nor do the logs.


So, I guess I need to do some more investigating as to why my
  service is not starting. Any ideas would be helpful. I'm running
  the same configs as are listed in the referenced wiki.


Gary



On 6/3/2019 7:37 AM, Angus McIntyre
  wrote:

If
  you're smart, you're probably running 'fail2ban' (or something
  similar) on your qmailtoaster to block password-guessing attempts.
  You may also have used the rules given at:
  
  
      http://wiki.qmailtoaster.com/index.php/Fail2Ban
  
  
  to configure it.
  
  
  This morning I happened to check my logs and discovered a
  ridiculous number of password-guessing attempts from a single IP,
  all of which had apparently gone unblocked by fail2ban. It turned
  out that the attacker was sending an empty password string, so
  that the log lines looked something like:
  
  
   vchkpw-submission: null password given phil:192.129.186.58
  
  
  There was no corresponding rule in my
  '/etc/fail2ban/filter.d/vpopmail.conf' to capture this case, so
  the attacker was able to try over and over again, unbanned.
  
  
  The attack script seems to be badly broken: it hits the same
  usernames over and over again, always with the same null password,
  and without even including the hostname part of the username (i.e.
  'phil' rather than 'p...@example.com'), so I'd rate its chances of
  succeeding as minimal. Still, it'll inflate your log files, so you
  probably want to ban it.
  
  
  So you might want to consider tweaking your fail2ban configuration
  to ensure that the failregex in 'vpopmail.conf' successfully
  matches 'null password given' as well as the default 'vpopmail
  user not found' string.
  
  
  Angus
  
  
  
  
-
  
  To unsubscribe, e-mail:
  qmailtoaster-list-unsubscr...@qmailtoaster.com
  
  For additional commands, e-mail:
  qmailtoaster-list-h...@qmailtoaster.com
  
  
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] fail2ban and 'null password given'

Re: [qmailtoaster] fail2ban and 'null password given'

2 matches

Site Navigation

Mail list logo

Footer information