Professa Dementia writes:
> 2) Fail2Ban with rules that seem like they are pretty weak, but trust
> me, they work fine and you limit complaints from users.
>
> a) If you get 3 invalid login attempts within a minute from more than
> 1 IP address, block that login for 10 minutes. If you have blocked a
> login and another attempt to log in to that account is made then tarpit
> that connection. Usually 60 seconds is sufficient. Do not extend the
> original block time past the original 10 minutes.
> b) If you get 5 invalid login attempts within a minute from the same
> IP, block that IP for 5 minutes. This is usually a valid user who
> forgot their password, as opposed to a) which is usually a malicious
> third party.
Looking at my POP3/IMAP logs, users enter wrong passwords all the time,
then their mail client keeps trying to re-authenticate, giving the
appearance of a slow rolling BFD. For example, I just grabbed this
typical sample
Jul 2 13:24:48 dovecot: imap-login: Aborted login (auth failed, 1 attempts in
5 secs): user=<x> ...
Jul 2 13:26:03 dovecot: imap-login: Aborted login (auth failed, 1 attempts in
5 secs): user=<x> ...
Jul 2 13:26:13 dovecot: imap-login: Aborted login (auth failed, 1 attempts in
9 secs): user=<x> ...
Jul 2 13:26:37 dovecot: imap-login: Aborted login (auth failed, 1 attempts in
5 secs): user=<x> ...
Jul 2 13:26:43 dovecot: imap-login: Aborted login (auth failed, 1 attempts in
5 secs): user=<x> ...
Jul 2 13:27:08 dovecot: imap-login: Aborted login (auth failed, 1 attempts in
5 secs): user=<x> ...
Jul 2 13:27:14 dovecot: imap-login: Aborted login (auth failed, 1 attempts in
5 secs): user=<x> ...
Jul 2 13:27:30 dovecot: imap-login: Aborted login (auth failed, 1 attempts in
5 secs): user=<x> ...
Jul 2 13:27:36 dovecot: imap-login: Aborted login (auth failed, 1 attempts in
5 secs): user=<x> ...
Jul 2 13:27:51 dovecot: imap-login: Aborted login (auth failed, 1 attempts in
5 secs): user=<x> ...
Brute force attempts are more intense, so I think these rules can be
set harder to not risk plunking your users into blacklist hell. Also,
some common role account (that don't exist on my system e.g.
"admin")
will trigger an immediate blacklist here -- an easy way to shortcut
the process.
> I feel your pain and frustration. I do not believe there is an RBL list
> of offending IP's for brute force attacks ...
Maybe
http://www.blocklist.de/en/index.html
I use it for ssh BFD blocking, and it detects 2/3 of the IPs trying to
do attempts. On their web page, they also list FTP, Web, and Mail
login brute forcers, although I'm not sure whether "Mail" logins
means
IMAP, POP, SMTP-AUTH, or all of them.
You can also integrate this with fail2ban so that not only can you use
it to block, but can also contribute to the global detection of brute
forcers.
Joseph Tam <jtam.home at gmail.com>