Am 20.07.2017 um 12:28 schrieb mj:> I have concoted something that seems to work. And for the archives, this > is it: > >> failregex = auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials >> \(given password: .+ssword\) >> auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials >> \(given password: 1qaz2wsx\) >> auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials >> \(given password: 123321\) >> auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials >> \(given password: 1234567890\) >> auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials >> \(given password: 1q2w3e4r.+\) > > It's still reactive, and not pro-active. > > All the other suggestions are very much appreciated, including > weakforced, however implementing that is a much larger project.i dont understand why you focused on that ldap strings fail2ban should trigger on some "Authentication failure" regex in the related syslog perhaps this will help to make it more clear http://www.stefan-seelmann.de/wiki/fail2ban#postfix-and-dovecot> > Next I have to find out how to feed my fail2ban logs back to > blocklist.de, to improve their mail.txt hit rate. > > Thanks again for all kind assistance. > > MJ > > On 07/20/2017 11:16 AM, mj wrote: >> Hi all, >> >> If I may, one more question on this subject: >> >> I would like to create a fail2ban filer, that scans for these lines: >> >>> Jul 20 11:10:09 auth: Info: >>> ldap(user1,60.166.35.162,<cDFXHbxUQgA8piOi>): invalid credentials >>> (given password: password) >>> Jul 20 11:10:19 auth: Info: >>> ldap(user2,61.53.66.4,<V+nyHbxU+wA9NUIE>): invalid credentials (given >>> password: password) >> >> (as you can see, I have enabled auth_verbose_passwords to do this, >> making me very uncomfortable...) >> >> Anyway: since there are only a few password variations, I would like >> to block anyone using those passwords. >> >> (since the connections are over TLS/SSL, I cannot use iptables, as >> suggested earlier) >> >> So I need a specific fail2ban rule that extracts the <IP> from that >> line, and matches on "(given password: password)" >> >> Can anyone here help out with a failregex line that would match..?Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG, 80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Hi Robert,> i dont understand why you focused on that ldap strings > fail2ban should trigger on some "Authentication failure" regex in the > related syslog > > perhaps this will help to make it more clear > > http://www.stefan-seelmann.de/wiki/fail2ban#postfix-and-dovecotYes, but I have that as well. :-) I wanted two kinds of blockings: #1: Everybody trying the well-known passwords (password, 123321, 1q2w3e, etc, etc) to become blocked *immediately* and for *always*. #2: I wanted all others have to have the 'regular' settings, with three shots at typing a password, etc. #2 being the 'regular fail2ban' settings, but during this attack, I wanted special settings, #1, for anyone trying one of the malicious passwords. I did NOT want to have them the usual three opportunities to try. In fact: this is a bit similar to your iptables solution, but that only works for non-ssl/non-tls connections. Your iptables solution makes sure that thy cannot authenticate *at all*, while the above solution makes sure they can only authnticate *once*. MJ
Am 20.07.2017 um 20:03 schrieb mj:> Hi Robert, > >> i dont understand why you focused on that ldap strings >> fail2ban should trigger on some "Authentication failure" regex in the >> related syslog >> >> perhaps this will help to make it more clear >> >> http://www.stefan-seelmann.de/wiki/fail2ban#postfix-and-dovecot > > Yes, but I have that as well. :-) > > I wanted two kinds of blockings: > > #1: Everybody trying the well-known passwords (password, 123321, 1q2w3e, > etc, etc) to become blocked *immediately* and for *always*. > > #2: I wanted all others have to have the 'regular' settings, with three > shots at typing a password, etc. > > #2 being the 'regular fail2ban' settings, but during this attack, I > wanted special settings, #1, for anyone trying one of the malicious > passwords. > > I did NOT want to have them the usual three opportunities to try. > > In fact: this is a bit similar to your iptables solution, but that only > works for non-ssl/non-tls connections. > > Your iptables solution makes sure that thy cannot authenticate *at all*, > while the above solution makes sure they can only authnticate *once*. > > MJOk I understand, not a bad idea, report how it works for you Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG, 80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On 21/07/2017 04:03, mj wrote:> Hi Robert, > >> i dont understand why you focused on that ldap strings >> fail2ban should trigger on some "Authentication failure" regex in the >> related syslog >> >> perhaps this will help to make it more clear >> >> http://www.stefan-seelmann.de/wiki/fail2ban#postfix-and-dovecot > > Yes, but I have that as well. :-) > > I wanted two kinds of blockings: > > #1: Everybody trying the well-known passwords (password, 123321, 1q2w3e, > etc, etc) to become blocked *immediately* and for *always*.This can be very tricky at times and you may actually hit quite a few legit users who are using weak passwords and have forgotten / mistyped them by accident. Seen this enough times and the amount of support required to make a sloppy & lazy customer happy again isn't always trivial. If they're few and far apart you can live with it, otherwise you'll have to reevaluate it :) Adi Pircalabu