Robert Kudyba
2019-Mar-15 20:30 UTC
lua policy for Weakforce and web mail failed login attempts
The good news is I believe I got Weakforce running 1) curl -X GET http://127.0.0.1:8084/?command=ping -u wforce:ourpassword {"status":"ok"}[ 2) after running the sample for loop: for a in {1..101}; do curl -X POST -H "Content-Type: application/json" --data '{"login":"ahu", "remote": "127.0.0.1", "pwhash":"1234'$a'", "success":"false"}' http://127.0.0.1:8084/?command=report -u wforce:ourpassword; done The result is: {"status":"ok"}{"status":"ok"}{"status":"ok"}{ 3) So checking the stats: curl -X POST -H "Content-Type: application/json" --data '{"ip":"127.0.0.1"}' http://127.0.0.1:8084/?command=getDBStats -u wforce:ourpassword {"bl_expire": "", "bl_reason": "", "blacklisted": false, "ip": "127.0.0.1", "stats": {"OneHourDB": {"diffFailedPasswords": 93}}} Notice the 93. 4) the reset works but I believe there's a bug in Getdbstats v2.0.0 where "blacklisted" is always shown: curl -X POST -H "Content-Type: application/json" --data '{"ip":"127.0.0.1"}' http://127.0.0.1:8084/?command=getDBStats -u wforce:ourpassword {"bl_expire": "", "bl_reason": "", "blacklisted": false, "ip": "127.0.0.1", "stats": {"OneHourDB": {"diffFailedPasswords": 0}}}[ 5) wforce -c Read configuration from '/usr/local/etc/wforce.conf' Connecting to 127.0.0.1:4004> stats()101 reports, 0 allow-queries (0 denies) The 3 big questions I have: a: how do I know IP's are being banned/rejected? Is there an alert creation or a way to see in the logs that the rules are in affect? b: since I installed via Git and ran "make" how to I get wforce --daemon to start on reboot? Is there a systemd file available? c: How do I create a lua policy that would catch these web dovecot login attempts? Feb 27 08:19:53 ourserver auth[15085]: pam_unix(dovecot:auth): check pass; user unknown Feb 27 08:19:53 ourserver auth[15085]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruseruser at ourserver.ourdomain.edu rhost=177.72.0.158 Feb 27 08:20:35 ourserver auth[15085]: pam_unix(dovecot:auth): check pass; user unknown Feb 27 08:20:35 ourserver auth[15085]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user rhost=213.156.111.236 Feb 27 08:27:07 ourserver auth[16831]: pam_unix(dovecot:auth): check pass; user unknown Feb 27 08:27:07 ourserver auth[16831]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot rusernobody at ourserver.ourdomain.edu rhost=79.106.35.59 Feb 27 08:27:27 ourserver auth[16831]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=nobody rhost=95.38.212.65 user=nobody Feb 27 08:27:27 ourserver auth[16831]: pam_succeed_if(dovecot:auth): requirement "uid >= 1000" not met by user "nobody" Feb 27 08:31:12 ourserver auth[17875]: pam_unix(dovecot:auth): check pass; user unknown Feb 27 08:31:12 ourserver auth[17875]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruserouruser at ourserver.ourdomain.edu rhost=80.78.70.1 Feb 27 08:31:33 ourserver auth[17875]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=ouruser rhost=45.225.236.198 user=ouruser Feb 27 09:32:22 ourserver auth[32689]: pam_unix(dovecot:auth): check pass; user unknown Feb 27 09:32:22 ourserver auth[32689]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot rusernobody at ourserver.ourdomain.edu rhost=37.205.81.41 Feb 27 09:32:42 ourserver auth[32689]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=nobody rhost=201.148.100.198 user=nobody Feb 27 09:32:42 ourserver auth[32689]: pam_succeed_if(dovecot:auth): requirement "uid >= 1000" not met by user "nobody" Feb 27 09:44:09 ourserver auth[3271]: pam_unix(dovecot:auth): check pass; user unknown Feb 27 09:44:09 ourserver auth[3271]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruserotheruser at ourserver.ourdomain.edu rhost=177.69.145.193 Feb 27 09:44:35 ourserver auth[3271]: pam_unix(dovecot:auth): check pass; user unknown Feb 27 09:44:35 ourserver auth[3271]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=otheruser rhost=175.143.51.221 Feb 27 09:47:32 ourserver auth[4048]: pam_unix(dovecot:auth): check pass; user unknown Feb 27 09:47:32 ourserver auth[4048]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruseryetanotheruser at ourserver.ourdomain.edu rhost=162.245.81.231 Feb 27 09:47:56 ourserver auth[4048]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=yetanotheruser rhost=83.243.88.236 user=yetanotheruser Feb 27 20:44:41 ourserver auth[5828]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=ouruser rhost=166.171.184.200 user=ouruser -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190315/d7a4485f/attachment.html>
Reasonably Related Threads
- get errors when doing a tar backup of a windows server with linux smbclient
- Samba integration with AD
- syslinux 6.03pre17 + gpxelinux.0 + iso from http not working
- syslinux 6.03pre17 + gpxelinux.0 + iso from http not working
- syslinux 6.03pre17 + gpxelinux.0 + iso from http not working