dovecot - Jul 2017 - under some kind of attack

Hi all,

It seems we are under some kind of password guessing attack:
> Jul 18 21:33:33 auth: Info:
ldap(username1,103.6.223.61,<W7wLl5xUfABnBt89>): invalid credentials
(given password: 1q2w3e4r5t)
> Jul 18 21:34:16 auth: Info:
ldap(username1,221.4.61.180,<89WnmZxUrADdBD20>): invalid credentials
(given password: 1q2w3e4r5t)
> Jul 18 21:36:13 auth: Info:
ldap(username2,117.243.180.225,<ESWBoJxUdQB187Th>): invalid credentials
(given password: 1q2w3e4r)
> Jul 18 21:36:50 auth: Info:
ldap(username2,58.59.103.230,<j7fQopxUNgA6O2fm>): invalid credentials
(given password: 1q2w3e4r)
> Jul 18 21:36:56 auth: Info:
ldap(username4,58.215.13.154,<gtY5o5xUlQA61w2a>): invalid credentials
(given password: 1q2w3e4r5t)
> Jul 18 21:37:18 auth: Info:
ldap(username3,220.175.154.205,<lFxppJxUFADcr5rN>): invalid credentials
(given password: 1q2w3e4r)
> Jul 18 21:37:25 auth: Info:
ldap(username5,14.142.29.142,<40zopJxUSgAOjh2O>): invalid credentials
(given password: 1q2w3e4r)
> Jul 18 21:37:27 auth: Info:
ldap(username4,119.1.98.121,<JDQOpZxUCwB3AWJ5>): invalid credentials
(given password: 1q2w3e4r5t)
> Jul 18 21:37:54 auth: Info:
ldap(username3,218.76.156.11,<OMqtppxUMADaTJwL>): invalid credentials
(given password: 1q2w3e4r)
Different IPs, different usernames, but all (almost) the same password.

Any idea what we can do about this??

Any advice you could give us would be very much appreciated.

MJ

Welcome to the world of mail admin...

On 7/18/2017, 3:44:20 PM, mj <lists at merit.unu.edu>
wrote:
> Hi all,
> 
> It seems we are under some kind of password guessing attack:
> 
>> Jul 18 21:33:33 auth: Info:
ldap(username1,103.6.223.61,<W7wLl5xUfABnBt89>): invalid credentials
(given password: 1q2w3e4r5t)
>> Jul 18 21:34:16 auth: Info:
ldap(username1,221.4.61.180,<89WnmZxUrADdBD20>): invalid credentials
(given password: 1q2w3e4r5t)
>> Jul 18 21:36:13 auth: Info:
ldap(username2,117.243.180.225,<ESWBoJxUdQB187Th>): invalid credentials
(given password: 1q2w3e4r)
>> Jul 18 21:36:50 auth: Info:
ldap(username2,58.59.103.230,<j7fQopxUNgA6O2fm>): invalid credentials
(given password: 1q2w3e4r)
>> Jul 18 21:36:56 auth: Info:
ldap(username4,58.215.13.154,<gtY5o5xUlQA61w2a>): invalid credentials
(given password: 1q2w3e4r5t)
>> Jul 18 21:37:18 auth: Info:
ldap(username3,220.175.154.205,<lFxppJxUFADcr5rN>): invalid credentials
(given password: 1q2w3e4r)
>> Jul 18 21:37:25 auth: Info:
ldap(username5,14.142.29.142,<40zopJxUSgAOjh2O>): invalid credentials
(given password: 1q2w3e4r)
>> Jul 18 21:37:27 auth: Info:
ldap(username4,119.1.98.121,<JDQOpZxUCwB3AWJ5>): invalid credentials
(given password: 1q2w3e4r5t)
>> Jul 18 21:37:54 auth: Info:
ldap(username3,218.76.156.11,<OMqtppxUMADaTJwL>): invalid credentials
(given password: 1q2w3e4r)
> 
> Different IPs, different usernames, but all (almost) the same password.
> 
> Any idea what we can do about this??
> 
> Any advice you could give us would be very much appreciated.
> 
> MJ
>

Am 18.07.2017 um 21:44 schrieb mj:
> Hi all,
> 
> It seems we are under some kind of password guessing attack:
> 
>> Jul 18 21:33:33 auth: Info:
>> ldap(username1,103.6.223.61,<W7wLl5xUfABnBt89>): invalid
credentials
>> (given password: 1q2w3e4r5t)
>> Jul 18 21:34:16 auth: Info:
>> ldap(username1,221.4.61.180,<89WnmZxUrADdBD20>): invalid
credentials
>> (given password: 1q2w3e4r5t)
>> Jul 18 21:36:13 auth: Info:
>> ldap(username2,117.243.180.225,<ESWBoJxUdQB187Th>): invalid
>> credentials (given password: 1q2w3e4r)
>> Jul 18 21:36:50 auth: Info:
>> ldap(username2,58.59.103.230,<j7fQopxUNgA6O2fm>): invalid
credentials
>> (given password: 1q2w3e4r)
>> Jul 18 21:36:56 auth: Info:
>> ldap(username4,58.215.13.154,<gtY5o5xUlQA61w2a>): invalid
credentials
>> (given password: 1q2w3e4r5t)
>> Jul 18 21:37:18 auth: Info:
>> ldap(username3,220.175.154.205,<lFxppJxUFADcr5rN>): invalid
>> credentials (given password: 1q2w3e4r)
>> Jul 18 21:37:25 auth: Info:
>> ldap(username5,14.142.29.142,<40zopJxUSgAOjh2O>): invalid
credentials
>> (given password: 1q2w3e4r)
>> Jul 18 21:37:27 auth: Info:
>> ldap(username4,119.1.98.121,<JDQOpZxUCwB3AWJ5>): invalid
credentials
>> (given password: 1q2w3e4r5t)
>> Jul 18 21:37:54 auth: Info:
>> ldap(username3,218.76.156.11,<OMqtppxUMADaTJwL>): invalid
credentials
>> (given password: 1q2w3e4r)
> 
> Different IPs, different usernames, but all (almost) the same password.
> 
> Any idea what we can do about this??
> 
> Any advice you could give us would be very much appreciated.
> 
> MJ
perhaps this

https://wiki.dovecot.org/HowTo/Fail2Ban


or you may adapt this

https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/

https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/

to pop3(s)/imap(s) and your needs




Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schlei?heimer Stra?e 26/MG, 80333 M?nchen

Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Hi,

Thanks for the quick follow-ups! Much appreciated. After posting this, I 
immediately started working on fail2ban. And between my initial posting 
and now, fail2ban already blocked 114 IPs.

I have fail2ban with maxretry=1 and bantime=1800

However, it seems almost all IPs are different, and I don't think I can 
keep the above settings permanently.

Robert, your iptables suggestions are _very_ interesting! However, will 
they also work on imaps/993, because of the ssl?

Thanks for the quick replies!

MJ

On 07/18/2017 09:52 PM, Robert Schetterer wrote:
> Am 18.07.2017 um 21:44 schrieb mj:
>> Hi all,
>>
>> It seems we are under some kind of password guessing attack:
>>
>>> Jul 18 21:33:33 auth: Info:
>>> ldap(username1,103.6.223.61,<W7wLl5xUfABnBt89>): invalid
credentials
>>> (given password: 1q2w3e4r5t)
>>> Jul 18 21:34:16 auth: Info:
>>> ldap(username1,221.4.61.180,<89WnmZxUrADdBD20>): invalid
credentials
>>> (given password: 1q2w3e4r5t)
>>> Jul 18 21:36:13 auth: Info:
>>> ldap(username2,117.243.180.225,<ESWBoJxUdQB187Th>): invalid
>>> credentials (given password: 1q2w3e4r)
>>> Jul 18 21:36:50 auth: Info:
>>> ldap(username2,58.59.103.230,<j7fQopxUNgA6O2fm>): invalid
credentials
>>> (given password: 1q2w3e4r)
>>> Jul 18 21:36:56 auth: Info:
>>> ldap(username4,58.215.13.154,<gtY5o5xUlQA61w2a>): invalid
credentials
>>> (given password: 1q2w3e4r5t)
>>> Jul 18 21:37:18 auth: Info:
>>> ldap(username3,220.175.154.205,<lFxppJxUFADcr5rN>): invalid
>>> credentials (given password: 1q2w3e4r)
>>> Jul 18 21:37:25 auth: Info:
>>> ldap(username5,14.142.29.142,<40zopJxUSgAOjh2O>): invalid
credentials
>>> (given password: 1q2w3e4r)
>>> Jul 18 21:37:27 auth: Info:
>>> ldap(username4,119.1.98.121,<JDQOpZxUCwB3AWJ5>): invalid
credentials
>>> (given password: 1q2w3e4r5t)
>>> Jul 18 21:37:54 auth: Info:
>>> ldap(username3,218.76.156.11,<OMqtppxUMADaTJwL>): invalid
credentials
>>> (given password: 1q2w3e4r)
>>
>> Different IPs, different usernames, but all (almost) the same password.
>>
>> Any idea what we can do about this??
>>
>> Any advice you could give us would be very much appreciated.
>>
>> MJ
> 
> perhaps this
> 
> https://wiki.dovecot.org/HowTo/Fail2Ban
> 
> 
> or you may adapt this
> 
>
https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/
> 
> https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/
> 
> to pop3(s)/imap(s) and your needs
> 
> 
> 
> 
> Best Regards
> MfG Robert Schetterer
>