dovecot - Apr 2013 - script to detect dictionary attacks

Hi

has someone a script which can filter out dictionary attacks
from /var/log/maillog and notify about the source-IPs?

i know about fail2ban and so on, but i would like to have
a mail with the IP address for two reasons and avoid fail2ban
at all because it does not match in the way we maintain firewalls

* add the IP to a distributed "iptables-block.sh" and distribute
  it to any server with a comment and timestamp
* write a abuse-mail to the ISP

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20130406/3e504d27/attachment.bin>

W dniu 2013-04-06 13:18, Reindl Harald pisze:
> Hi
Hi!
> has someone a script which can filter out dictionary attacks
> from /var/log/maillog and notify about the source-IPs?
> 
> i know about fail2ban and so on, but i would like to have
> a mail with the IP address for two reasons and avoid fail2ban
> at all because it does not match in the way we maintain firewalls
> 
> * add the IP to a distributed "iptables-block.sh" and distribute
>   it to any server with a comment and timestamp
> * write a abuse-mail to the ISP
> 
What about ...fail2ban?:) You can define to run any script when fail2ban
detects bruteforce. You can pass <ip> as parameter to script. Fail2ban
can also send email to proper abuse. Maybe I'm wrong but reading what
you wrote about needings it looks fail2ban can do it.
Marcin

Am 06.04.2013 13:18, schrieb Reindl Harald:
> Hi
> 
> has someone a script which can filter out dictionary attacks
> from /var/log/maillog and notify about the source-IPs?
> 
> i know about fail2ban and so on, but i would like to have
> a mail with the IP address for two reasons and avoid fail2ban
> at all because it does not match in the way we maintain firewalls
> 
> * add the IP to a distributed "iptables-block.sh" and distribute
>   it to any server with a comment and timestamp
> * write a abuse-mail to the ISP
> 
Hi Harald, not exactly

but i have written some blog to detect and alarm via xymon by brute
force dovecot

http://sys4.de/de/blog/2013/01/29/howto-monitor-brute-force-attacks-on-dovecot/

as well i have some blog

about using iptables out of rsyslog pipe recent to drop ips

http://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/

mix it up somekind in scripts and produce some mail to abuse mail account
found by whois, to me alarming is enough, at my servers
it looks like most alarms are comming from users with wrong login data
etc , real brute force are rare

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstra?e 15, 81669 M?nchen

Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich

Reindl Harald skrev den 2013-04-06 13:18:
> has someone a script which can filter out dictionary attacks
> from /var/log/maillog and notify about the source-IPs?
yes i have :)

pflogsumm
> i know about fail2ban and so on, but i would like to have
> a mail with the IP address for two reasons and avoid fail2ban
> at all because it does not match in the way we maintain firewalls
its simple to make a filter that checks unknown user in postfix logs, 
its even more simple if one make syslog to sql, then postfix can live 
block that ip that sends to unknown users
> * add the IP to a distributed "iptables-block.sh" and distribute
>   it to any server with a comment and timestamp
> * write a abuse-mail to the ISP
that would be cool, lol :)

Am 06.04.2013 14:24, schrieb Benny Pedersen:
> Reindl Harald skrev den 2013-04-06 13:18:
> 
>> has someone a script which can filter out dictionary attacks
>> from /var/log/maillog and notify about the source-IPs?
> 
> yes i have :)
> 
> pflogsumm
has to do what with IMAP/POP3 Logins?
>> i know about fail2ban and so on, but i would like to have
>> a mail with the IP address for two reasons and avoid fail2ban
>> at all because it does not match in the way we maintain firewalls
> 
> its simple to make a filter that checks unknown user in postfix logs, its
even more simple if one make syslog to
> sql, then postfix can live block that ip that sends to unknown users
but nobody speaks about postfix
>> * add the IP to a distributed "iptables-block.sh" and
distribute
>>   it to any server with a comment and timestamp
>> * write a abuse-mail to the ISP
> 
> that would be cool, lol :)
what would be cool?
what *lol*?

i speak about a simple way to get a notify of the brute-forcing IP
and the both are MANUAL tasks i do since virtually forever

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20130406/830e9844/attachment.bin>

Reindl Harald skrev den 2013-04-06 14:43:
> has to do what with IMAP/POP3 Logins?
patch / hack it to dovecot
> but nobody speaks about postfix
and nobody use sql logs
> i speak about a simple way to get a notify of the brute-forcing IP
> and the both are MANUAL tasks i do since virtually forever
if it was simple, others have writed it already

http://wiki.dovecot.org/HowTo/Fail2Ban

note that it works on dovecot 1.x aswell, no need to upgrade :)

Am 06.04.2013 14:52, schrieb Benny Pedersen:
> Reindl Harald skrev den 2013-04-06 14:43:
> 
>> has to do what with IMAP/POP3 Logins?
> 
> patch / hack it to dovecot
f**k yourself
>> but nobody speaks about postfix
> and nobody use sql logs
are you drunken or what has this to do with sql logs?

i am using both, so what
the question was a already present script instead write my own

so if you have nothing to say better shut up
>> i speak about a simple way to get a notify of the brute-forcing IP
>> and the both are MANUAL tasks i do since virtually forever
> 
> if it was simple, others have writed it already
and that was the question
> http://wiki.dovecot.org/HowTo/Fail2Ban
the question was a script to parse maillog and sim?ply notify
and NOT fail2ban or whatever long-living process and NOT directly
touch iptables, iptables-config is distributed with a inhosue solution
accros the whole infrastructure
> note that it works on dovecot 1.x aswell, no need to upgrade :)
keep your silly smilies for yourself

[root at mail:~]$ rpm -q dovecot
dovecot-2.1.16-4.fc17.20130405.rh.x86_64

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20130406/190d31bb/attachment.bin>

>
> http://wiki.dovecot.org/HowTo/Fail2Ban
not sure if relevant, apologize if not:

fwiw, I think csf/lfd (that came on my server) does similar job, detecting
login failures and blocking offenders/suspects

v

Reindl Harald skrev den 2013-04-06 14:59:
> keep your silly smilies for yourself
haha
> [root at mail:~]$ rpm -q dovecot
> dovecot-2.1.16-4.fc17.20130405.rh.x86_64
you live in a precompiled problem

learn grep, cut, sort, and more on how to use fail2ban, just ignore my 
help will not solve it for you

Am 06.04.2013 16:04, schrieb Benny Pedersen:
> Reindl Harald skrev den 2013-04-06 14:59:
> 
>> keep your silly smilies for yourself
> haha
what haha?
you are a young boy with no knowledge proven many times
>> [root at mail:~]$ rpm -q dovecot
>> dovecot-2.1.16-4.fc17.20130405.rh.x86_64
> you live in a precompiled problem
idiot guess what the "rh" in "20130405.rh" means
> learn grep, cut, sort, and more 
boy i am developer and use them all the day a lot
> on how to use fail2ban
> just ignore my help will not solve it for you
to help you would need to understand the question

what did you idiot not undersatnd in the inital post that
fail2ban does not interest me because i do NOT want shorewall
and whatever piece of crap on the infrastrcuture?

gamin-python, python-inotify, shorewall, shorewall-core
are not neeeded here PERIOD

[root at buildserver:~]$ LANG=C;  yum install fail2ban
Loaded plugins: etckeeper, presto, protectbase, security
0 packages excluded due to repository protections
Resolving Dependencies
--> Running transaction check
---> Package fail2ban.noarch 0:0.8.8-2.fc17 will be installed
--> Processing Dependency: shorewall for package:
fail2ban-0.8.8-2.fc17.noarch
--> Processing Dependency: python-inotify for package:
fail2ban-0.8.8-2.fc17.noarch
--> Processing Dependency: gamin-python for package:
fail2ban-0.8.8-2.fc17.noarch
--> Running transaction check
---> Package gamin-python.x86_64 0:0.1.10-12.fc17 will be installed
---> Package python-inotify.noarch 0:0.9.4-1.fc17 will be installed
---> Package shorewall.noarch 0:4.5.7.1-2.fc17 will be installed
--> Processing Dependency: shorewall-core = 4.5.7.1-2.fc17 for package:
shorewall-4.5.7.1-2.fc17.noarch
--> Running transaction check
---> Package shorewall-core.noarch 0:4.5.7.1-2.fc17 will be installed
--> Finished Dependency Resolution
--> Finding unneeded leftover dependencies

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20130406/16a985c3/attachment.bin>

On Sat, 6 Apr 2013, Reindl Harald wrote:
> Hi
>
> has someone a script which can filter out dictionary attacks
> from /var/log/maillog and notify about the source-IPs?
>
> i know about fail2ban and so on, but i would like to have
> a mail with the IP address for two reasons and avoid fail2ban
> at all because it does not match in the way we maintain firewalls
>
> * add the IP to a distributed "iptables-block.sh" and distribute
>  it to any server with a comment and timestamp
> * write a abuse-mail to the ISP
Thinking tangentially to this proposal, are there blacklists (BLs) 
maintained regarding known IPs perpetrating attempts at pop/imap 
intrusions, much in the same way CBL does for spam, and OpenBL 
(http://www.openbl.org/lists.html) does for ssh (primarily)?

That way, you leave your iptables configuration status quo, and create a 
mechanism to use the resource (the BLs) to populate your /etc/hosts.deny 
file, using tcp_wrappers to prevent intrusion/brute force attacks on 
service that have open ports in the firewall.

Thanks,

Max Pyziur
pyz at brama.com

Am 06.04.2013 23:48, schrieb Professa Dementia:
> Both of the following I have experienced:
> 
> 1) Excessive spam and hacking from China.  I blocked China.  Then I got a
client that did business in China and had
> a branch office there. Suddenly I cannot block login attempts from China. 
And the users complains loudly about the
> excessive reject rate of legitimate emails from Chinese customers due to
the spam filters.
again:

* i am on the dovecot list
* i speak about dictionary attacks on POP3/IMAP
* reject rate is not a topic here

well, even if i would speak about the MTA it would not be a topic
the MTA is a commercial spam-appliance and postfix not directly the MX

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20130407/0732e30f/attachment.bin>

Here is the simplex script that I use to filter attacking sites.
I should be easy to add your extra bits (email etc).

Cheers,
Stephen

#! /bin/sh
d=`date +"%b %d"`
grep "$d" /var/log/mail/info.log|grep ruleset=check_rcp | gawk 
'{split($0,q,/[\[\]]/);print "/sbin/iptables -A INPUT -s " q[4]
"/32 -j
DROP"}' | sort -u > /tmp/fw$$
#reset iptable to base
/etc/rc.d/rc.fw > /dev/null 2>&1
#add new filter(s)
. /tmp/fw$$
rm -f /tmp/fw$$

-- 
============================================================================Stephen
Davies Consulting P/L                           Phone: 08-8177 1595
Adelaide, South Australia.                                Mobile:040 304 0583
Records & Collections Management.

Hi Reindl.

I have a similar script to detect brute force attacs to dovecot sasl 
auth sistem, it's very simple to adapt to pop/imap failures log:

http://psi.com.br/~julio/postfix/sasl-killer.sh

Regards,

-- 
-----------------------------
     _    Julio Cesar Covolato
    0v0   <julio at psi.com.br>
   /(_)\  F: 55-11-3129-3366
    ^ ^   PSI INTERNET
-----------------------------

Em 06-04-2013 08:18, Reindl Harald escreveu:
> Hi
>
> has someone a script which can filter out dictionary attacks
> from /var/log/maillog and notify about the source-IPs?
>
> i know about fail2ban and so on, but i would like to have
> a mail with the IP address for two reasons and avoid fail2ban
> at all because it does not match in the way we maintain firewalls
>
> * add the IP to a distributed "iptables-block.sh" and distribute
>    it to any server with a comment and timestamp
> * write a abuse-mail to the ISP
>