Hi, Thanks for the quick follow-ups! Much appreciated. After posting this, I immediately started working on fail2ban. And between my initial posting and now, fail2ban already blocked 114 IPs. I have fail2ban with maxretry=1 and bantime=1800 However, it seems almost all IPs are different, and I don't think I can keep the above settings permanently. Robert, your iptables suggestions are _very_ interesting! However, will they also work on imaps/993, because of the ssl? Thanks for the quick replies! MJ On 07/18/2017 09:52 PM, Robert Schetterer wrote:> Am 18.07.2017 um 21:44 schrieb mj: >> Hi all, >> >> It seems we are under some kind of password guessing attack: >> >>> Jul 18 21:33:33 auth: Info: >>> ldap(username1,103.6.223.61,<W7wLl5xUfABnBt89>): invalid credentials >>> (given password: 1q2w3e4r5t) >>> Jul 18 21:34:16 auth: Info: >>> ldap(username1,221.4.61.180,<89WnmZxUrADdBD20>): invalid credentials >>> (given password: 1q2w3e4r5t) >>> Jul 18 21:36:13 auth: Info: >>> ldap(username2,117.243.180.225,<ESWBoJxUdQB187Th>): invalid >>> credentials (given password: 1q2w3e4r) >>> Jul 18 21:36:50 auth: Info: >>> ldap(username2,58.59.103.230,<j7fQopxUNgA6O2fm>): invalid credentials >>> (given password: 1q2w3e4r) >>> Jul 18 21:36:56 auth: Info: >>> ldap(username4,58.215.13.154,<gtY5o5xUlQA61w2a>): invalid credentials >>> (given password: 1q2w3e4r5t) >>> Jul 18 21:37:18 auth: Info: >>> ldap(username3,220.175.154.205,<lFxppJxUFADcr5rN>): invalid >>> credentials (given password: 1q2w3e4r) >>> Jul 18 21:37:25 auth: Info: >>> ldap(username5,14.142.29.142,<40zopJxUSgAOjh2O>): invalid credentials >>> (given password: 1q2w3e4r) >>> Jul 18 21:37:27 auth: Info: >>> ldap(username4,119.1.98.121,<JDQOpZxUCwB3AWJ5>): invalid credentials >>> (given password: 1q2w3e4r5t) >>> Jul 18 21:37:54 auth: Info: >>> ldap(username3,218.76.156.11,<OMqtppxUMADaTJwL>): invalid credentials >>> (given password: 1q2w3e4r) >> >> Different IPs, different usernames, but all (almost) the same password. >> >> Any idea what we can do about this?? >> >> Any advice you could give us would be very much appreciated. >> >> MJ > > perhaps this > > https://wiki.dovecot.org/HowTo/Fail2Ban > > > or you may adapt this > > https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/ > > https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/ > > to pop3(s)/imap(s) and your needs > > > > > Best Regards > MfG Robert Schetterer >
On Tuesday 18 July 2017 22:15:24 mj wrote:> Hi, > > Thanks for the quick follow-ups! Much appreciated. After posting this, I > immediately started working on fail2ban. And between my initial posting > and now, fail2ban already blocked 114 IPs. > > I have fail2ban with maxretry=1 and bantime=1800 > > However, it seems almost all IPs are different, and I don't think I can > keep the above settings permanently. > > Robert, your iptables suggestions are _very_ interesting! However, will > they also work on imaps/993, because of the ssl? > > Thanks for the quick replies! > > MJWhy not? You can however let them retry 2-3 times , we all made mistakes :) If there is a real user in that ban list you will help him to found and remove the malware in his network.> > On 07/18/2017 09:52 PM, Robert Schetterer wrote: > > Am 18.07.2017 um 21:44 schrieb mj: > >> Hi all, > >> > >> It seems we are under some kind of password guessing attack: > >>> Jul 18 21:33:33 auth: Info: > >>> ldap(username1,103.6.223.61,<W7wLl5xUfABnBt89>): invalid credentials > >>> (given password: 1q2w3e4r5t) > >>> Jul 18 21:34:16 auth: Info: > >>> ldap(username1,221.4.61.180,<89WnmZxUrADdBD20>): invalid credentials > >>> (given password: 1q2w3e4r5t) > >>> Jul 18 21:36:13 auth: Info: > >>> ldap(username2,117.243.180.225,<ESWBoJxUdQB187Th>): invalid > >>> credentials (given password: 1q2w3e4r) > >>> Jul 18 21:36:50 auth: Info: > >>> ldap(username2,58.59.103.230,<j7fQopxUNgA6O2fm>): invalid credentials > >>> (given password: 1q2w3e4r) > >>> Jul 18 21:36:56 auth: Info: > >>> ldap(username4,58.215.13.154,<gtY5o5xUlQA61w2a>): invalid credentials > >>> (given password: 1q2w3e4r5t) > >>> Jul 18 21:37:18 auth: Info: > >>> ldap(username3,220.175.154.205,<lFxppJxUFADcr5rN>): invalid > >>> credentials (given password: 1q2w3e4r) > >>> Jul 18 21:37:25 auth: Info: > >>> ldap(username5,14.142.29.142,<40zopJxUSgAOjh2O>): invalid credentials > >>> (given password: 1q2w3e4r) > >>> Jul 18 21:37:27 auth: Info: > >>> ldap(username4,119.1.98.121,<JDQOpZxUCwB3AWJ5>): invalid credentials > >>> (given password: 1q2w3e4r5t) > >>> Jul 18 21:37:54 auth: Info: > >>> ldap(username3,218.76.156.11,<OMqtppxUMADaTJwL>): invalid credentials > >>> (given password: 1q2w3e4r) > >> > >> Different IPs, different usernames, but all (almost) the same password. > >> > >> Any idea what we can do about this?? > >> > >> Any advice you could give us would be very much appreciated. > >> > >> MJ > > > > perhaps this > > > > https://wiki.dovecot.org/HowTo/Fail2Ban > > > > > > or you may adapt this > > > > https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-> > ylmf-pc-mit-iptables-string-recent-smtp/ > > > > https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/ > > > > to pop3(s)/imap(s) and your needs > > > > > > > > > > Best Regards > > MfG Robert Schetterer
Hi Robert, On 07/18/2017 10:15 PM, mj wrote:> Robert, your iptables suggestions are _very_ interesting! However, will > they also work on imaps/993, because of the ssl?I have adjusted and put into place your iptables suggestion like this:> iptables -I INPUT -p tcp --dport 143 -m string --algo bm --string '1q2w3e4r' -j DROP > iptables -I INPUT -p tcp --dport 993 -m string --algo bm --string '1q2w3e4r' -j DROPHowever, I don't think it's working, as the login attempts just keep coming. Probably the reason is: smtp is plain text, and imap TLS/SSL is not, so the rules never get triggered. MJ
Am 18.07.2017 um 22:15 schrieb mj:> Hi, > > Thanks for the quick follow-ups! Much appreciated. After posting this, I > immediately started working on fail2ban. And between my initial posting > and now, fail2ban already blocked 114 IPs. > > I have fail2ban with maxretry=1 and bantime=1800 > > However, it seems almost all IPs are different, and I don't think I can > keep the above settings permanently. > > Robert, your iptables suggestions are _very_ interesting! However, will > they also work on imaps/993, because of the ssl?i guess not, but typical bots arent using ssl, check it however fail2ban sometimes is to slow but as an alternative you may create a filter out of syslog to directly feed in iptables recent, here is an example with smtp https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/> > Thanks for the quick replies! > > MJ > > On 07/18/2017 09:52 PM, Robert Schetterer wrote: >> Am 18.07.2017 um 21:44 schrieb mj: >>> Hi all, >>> >>> It seems we are under some kind of password guessing attack: >>> >>>> Jul 18 21:33:33 auth: Info: >>>> ldap(username1,103.6.223.61,<W7wLl5xUfABnBt89>): invalid credentials >>>> (given password: 1q2w3e4r5t) >>>> Jul 18 21:34:16 auth: Info: >>>> ldap(username1,221.4.61.180,<89WnmZxUrADdBD20>): invalid credentials >>>> (given password: 1q2w3e4r5t) >>>> Jul 18 21:36:13 auth: Info: >>>> ldap(username2,117.243.180.225,<ESWBoJxUdQB187Th>): invalid >>>> credentials (given password: 1q2w3e4r) >>>> Jul 18 21:36:50 auth: Info: >>>> ldap(username2,58.59.103.230,<j7fQopxUNgA6O2fm>): invalid credentials >>>> (given password: 1q2w3e4r) >>>> Jul 18 21:36:56 auth: Info: >>>> ldap(username4,58.215.13.154,<gtY5o5xUlQA61w2a>): invalid credentials >>>> (given password: 1q2w3e4r5t) >>>> Jul 18 21:37:18 auth: Info: >>>> ldap(username3,220.175.154.205,<lFxppJxUFADcr5rN>): invalid >>>> credentials (given password: 1q2w3e4r) >>>> Jul 18 21:37:25 auth: Info: >>>> ldap(username5,14.142.29.142,<40zopJxUSgAOjh2O>): invalid credentials >>>> (given password: 1q2w3e4r) >>>> Jul 18 21:37:27 auth: Info: >>>> ldap(username4,119.1.98.121,<JDQOpZxUCwB3AWJ5>): invalid credentials >>>> (given password: 1q2w3e4r5t) >>>> Jul 18 21:37:54 auth: Info: >>>> ldap(username3,218.76.156.11,<OMqtppxUMADaTJwL>): invalid credentials >>>> (given password: 1q2w3e4r) >>> >>> Different IPs, different usernames, but all (almost) the same password. >>> >>> Any idea what we can do about this?? >>> >>> Any advice you could give us would be very much appreciated. >>> >>> MJ >> >> perhaps this >> >> https://wiki.dovecot.org/HowTo/Fail2Ban >> >> >> or you may adapt this >> >> https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/ >> >> >> https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/ >> >> >> to pop3(s)/imap(s) and your needs >> >> >> >> >> Best Regards >> MfG Robert Schetterer >>Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG, 80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Am 18.07.2017 um 22:53 schrieb mj:> Hi Robert, > > On 07/18/2017 10:15 PM, mj wrote: >> Robert, your iptables suggestions are _very_ interesting! However, >> will they also work on imaps/993, because of the ssl? > > I have adjusted and put into place your iptables suggestion like this: >> iptables -I INPUT -p tcp --dport 143 -m string --algo bm --string >> '1q2w3e4r' -j DROP >> iptables -I INPUT -p tcp --dport 993 -m string --algo bm --string >> '1q2w3e4r' -j DROPdont speculate verify if your bots are using ssl , and what flows over the wire if plain is used, you dont need to use 1q2w3e4r, i think you can use any dovecot answer that "means rejected", sorry no time to test myself> > However, I don't think it's working, as the login attempts just keep > coming. Probably the reason is: smtp is plain text, and imap TLS/SSL is > not, so the rules never get triggered. > > MJBest Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG, 80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Hi Robert, On 07/18/2017 11:43 PM, Robert Schetterer wrote:> i guess not, but typical bots arent using ssl, check it > > however fail2ban sometimes is to slowI have configured dovecot with auth_failure_delay = 10 secs I hope that before the 10 sec are over, dovecot will have logged about the failed login attempt, and fail2ban will have blocked the ip by then. MJ