Hi folks, "somehow" similar to the thread "under some kind oof attack" started by "MJ": I have dovecot shielded by fail2ban which works fine. But since a few days I see many many IPs per day knocking on my doors with wron password and/or users. But the rate at which they are knocking is very very low. So fail2ban will never catch them. For example one IP: Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): pam(eurodisc,101.231.247.210,<gAulHSNVsNZl5/fS>): unknown user Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): pam(gergei,101.231.247.210,<dPzYIyRVtOpl5/fS>): pam_authenticate() failed: Authentication failure (password mismatch?) Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): pam(icpe,101.231.247.210,<Ws6t3iRVkOhl5/fS>): unknown user Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user Note the timestamps. If I look the other way round (tries to one account) I'll get Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): pam(endsulei,60.166.12.117,<slp6mhhViI48pgx1>): unknown user Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): pam(endsulei,222.243.211.200,<s0+6nBhVabHe89PI>): unknown user Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): pam(endsulei,222.84.118.83,<kaE1qCJVn7neVHZT>): unknown user Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): pam(endsulei,206.214.0.120,<R5H56CRVdJfO1gB4>): unknown user Also note the timestamps! And I see many many distinct IPs per day (a few hundred) trying many many existing and non-existings accounts. As you see in the timestamps in my examples, this can not be handled by fail2ban without affecting regular users with typos. Is anybody observing something similar ? Anybody an idea against this ? Many of these observed IPs are chinese mobile IPs, if this matters. But we have also chinese students and researchers all abroad. Regards, Olaf -- Karlsruher Institut f?r Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakult?t f?r Informatik Dipl.-Geophys. Olaf Hopp - Leitung IT-Dienste - Am Fasanengarten 5, Geb?ude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: Olaf.Hopp at kit.edu atis.informatik.kit.edu www.kit.edu KIT ? Die Forschungsuniversit?t in der Helmholtz-Gemeinschaft Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5304 bytes Desc: S/MIME Cryptographic Signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20170725/e96195a1/attachment-0001.p7s>
Hi Olaf, Since we implemented country blocking, everything seems nicely under control, with only 'normal levels' of knocking. We first have impemented: http://blog.jeshurun.ca/technology/block-countries-ubuntu-iptables-xtables-geoip Then we did: https://github.com/firehol/blocklist-ipsets And finale iptables rules like these:> iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP > iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP > iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP > iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc CR,MZ -j DROP > > iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP > iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP > iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP > iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc CR,MZ -j DROP > > iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP > iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP > iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP > iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc CR,MZ -j DROPI tried to combine the various dports in one single rule, but that didn't seem to work. Perhaps someone here knows how to combine --match "geoip" and "multiport" in one single rule? Anyway: for us these combined measures did the tric. Users in one of the imap-blocked countries will have to use ActiveSync (works over https), the webmail-interface, or launch the VPN first. This works for us. Only one thing on my wishlist: application specific passwords. I would very much appreciate a respond on that thread... (posted yesterday evening, with a pseudo-dovecot-config file...) Hope the above helps you a bit, Olaf. MJ On 07/25/2017 04:37 PM, Olaf Hopp wrote:> Hi folks, > > "somehow" similar to the thread "under some kind oof attack" started by > "MJ": > > I have dovecot shielded by fail2ban which works fine. > But since a few days I see many many IPs per day knocking on > my doors with wron password and/or users. But the rate at which they are > knocking > is very very low. So fail2ban will never catch them. > > For example one IP: > > Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): > pam(eurodisc,101.231.247.210,<gAulHSNVsNZl5/fS>): unknown user > Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): > pam(gergei,101.231.247.210,<dPzYIyRVtOpl5/fS>): pam_authenticate() > failed: Authentication failure (password mismatch?) > Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): > pam(icpe,101.231.247.210,<Ws6t3iRVkOhl5/fS>): unknown user > Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): > pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user > > Note the timestamps. > If I look the other way round (tries to one account) I'll get > > Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): > pam(endsulei,60.166.12.117,<slp6mhhViI48pgx1>): unknown user > Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): > pam(endsulei,222.243.211.200,<s0+6nBhVabHe89PI>): unknown user > Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): > pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user > Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): > pam(endsulei,222.84.118.83,<kaE1qCJVn7neVHZT>): unknown user > Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): > pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user > Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): > pam(endsulei,206.214.0.120,<R5H56CRVdJfO1gB4>): unknown user > > Also note the timestamps! > > And I see many many distinct IPs per day (a few hundred) trying many > many existing and non-existings accounts. > As you see in the timestamps in my examples, this can not be handled by > fail2ban without affecting > regular users with typos. > Is anybody observing something similar ? > Anybody an idea against this ? > Many of these observed IPs are chinese mobile IPs, if this matters. But > we have also chinese students and > researchers all abroad. > > > Regards, > Olaf >
On Tue, Jul 25, 2017 at 04:37:23PM +0200, Olaf Hopp wrote:>Hi folks, > >"somehow" similar to the thread "under some kind oof attack" started by "MJ": > >I have dovecot shielded by fail2ban which works fine. >But since a few days I see many many IPs per day knocking on >my doors with wron password and/or users. But the rate at which they are knocking >is very very low. So fail2ban will never catch them.Of course it will. You just need to set the "findtime" high enough. Personally, on my very quiet home server, I have findtime set to 7200 (2 hours) and maxretry set to 5, meaning that if a host fails to authenticate 5 times in two hours, they're banned (I have a fairly harsh ban time of a week, so that stops them coming back too soon).> >For example one IP: > >Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): pam(eurodisc,101.231.247.210,<gAulHSNVsNZl5/fS>): unknown user >Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): pam(gergei,101.231.247.210,<dPzYIyRVtOpl5/fS>): pam_authenticate() failed: Authentication failure (password mismatch?) >Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): pam(icpe,101.231.247.210,<Ws6t3iRVkOhl5/fS>): unknown user >Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user > >Note the timestamps. >If I look the other way round (tries to one account) I'll get > >Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): pam(endsulei,60.166.12.117,<slp6mhhViI48pgx1>): unknown user >Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): pam(endsulei,222.243.211.200,<s0+6nBhVabHe89PI>): unknown user >Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user >Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): pam(endsulei,222.84.118.83,<kaE1qCJVn7neVHZT>): unknown user >Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user >Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): pam(endsulei,206.214.0.120,<R5H56CRVdJfO1gB4>): unknown user > >Also note the timestamps! > >And I see many many distinct IPs per day (a few hundred) trying many many existing and non-existings accounts. >As you see in the timestamps in my examples, this can not be handled by fail2ban without affecting >regular users with typos. >Is anybody observing something similar ? >Anybody an idea against this ? >Many of these observed IPs are chinese mobile IPs, if this matters. But we have also chinese students and >researchers all abroad. > > >Regards, >Olaf > >-- >Karlsruher Institut f?r Technologie (KIT) >ATIS - Abt. Technische Infrastruktur, Fakult?t f?r Informatik > >Dipl.-Geophys. Olaf Hopp >- Leitung IT-Dienste - > >Am Fasanengarten 5, Geb?ude 50.34, Raum 009 >76131 Karlsruhe >Telefon: +49 721 608-43973 >Fax: +49 721 608-46699 >E-Mail: Olaf.Hopp at kit.edu >atis.informatik.kit.edu > >www.kit.edu > >KIT ? Die Forschungsuniversit?t in der Helmholtz-Gemeinschaft > >Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert. > >-- For more information, please reread. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 906 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20170725/4cd14472/attachment.sig>
Olaf Hopp wrote on 25.07.2017 16:37:> Hi folks, > > "somehow" similar to the thread "under some kind oof attack" started > by "MJ": > > I have dovecot shielded by fail2ban which works fine. > But since a few days I see many many IPs per day knocking on > my doors with wron password and/or users. But the rate at which they > are knocking > is very very low. So fail2ban will never catch them. > > For example one IP: > > Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): > pam(eurodisc,101.231.247.210,<gAulHSNVsNZl5/fS>): unknown user > Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): > pam(gergei,101.231.247.210,<dPzYIyRVtOpl5/fS>): pam_authenticate() > failed: Authentication failure (password mismatch?) > Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): > pam(icpe,101.231.247.210,<Ws6t3iRVkOhl5/fS>): unknown user > Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): > pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user > > Note the timestamps. > If I look the other way round (tries to one account) I'll get > > Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): > pam(endsulei,60.166.12.117,<slp6mhhViI48pgx1>): unknown user > Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): > pam(endsulei,222.243.211.200,<s0+6nBhVabHe89PI>): unknown user > Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): > pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user > Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): > pam(endsulei,222.84.118.83,<kaE1qCJVn7neVHZT>): unknown user > Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): > pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user > Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): > pam(endsulei,206.214.0.120,<R5H56CRVdJfO1gB4>): unknown user > > Also note the timestamps! > > And I see many many distinct IPs per day (a few hundred) trying many > many existing and non-existings accounts. > As you see in the timestamps in my examples, this can not be handled > by fail2ban without affecting > regular users with typos. > Is anybody observing something similar ? > Anybody an idea against this ? > Many of these observed IPs are chinese mobile IPs, if this matters. > But we have also chinese students and > researchers all abroad. > > > Regards, > Olaf >For those "unknown user" attacks on Dovecot we use a rule we named "dovecot-unknownusers.conf" with Fail2Ban: <SNIP> failregex = ^%(__prefix_line)sauth-worker\(\d+\): (pam|sql)\(\S+,<HOST>\): unknown user\s*$ <SNIP> "findtime" we set to 5400 (90 minutes) with "maxretry" set to 2. Works pretty well to block those pesty slow pace attacks.
Am 25.07.2017 um 16:37 schrieb Olaf Hopp:> Hi folks, > > "somehow" similar to the thread "under some kind oof attack" started by > "MJ": > > I have dovecot shielded by fail2ban which works fine. > But since a few days I see many many IPs per day knocking on > my doors with wron password and/or users. But the rate at which they are > knocking > is very very low. So fail2ban will never catch them. > > For example one IP: > > Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): > pam(eurodisc,101.231.247.210,<gAulHSNVsNZl5/fS>): unknown user > Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): > pam(gergei,101.231.247.210,<dPzYIyRVtOpl5/fS>): pam_authenticate() > failed: Authentication failure (password mismatch?) > Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): > pam(icpe,101.231.247.210,<Ws6t3iRVkOhl5/fS>): unknown user > Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): > pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user > > Note the timestamps. > If I look the other way round (tries to one account) I'll get > > Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): > pam(endsulei,60.166.12.117,<slp6mhhViI48pgx1>): unknown user > Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): > pam(endsulei,222.243.211.200,<s0+6nBhVabHe89PI>): unknown user > Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): > pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user > Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): > pam(endsulei,222.84.118.83,<kaE1qCJVn7neVHZT>): unknown user > Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): > pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user > Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): > pam(endsulei,206.214.0.120,<R5H56CRVdJfO1gB4>): unknown user > > Also note the timestamps! > > And I see many many distinct IPs per day (a few hundred) trying many > many existing and non-existings accounts. > As you see in the timestamps in my examples, this can not be handled by > fail2ban without affecting > regular users with typos. > Is anybody observing something similar ?all the time ,since years, in my case its always schema user xyz.abc in my case all username without @ could be dropped at once a regex deny should be fine, but i havent implemented/thinked of it cause it comming in small waves and mostly fail2ban stops it soon> Anybody an idea against this ? > Many of these observed IPs are chinese mobile IPs, if this matters. But > we have also chinese students and > researchers all abroad. > > > Regards, > Olaf >Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG, 80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Am 25.07.2017 um 16:54 schrieb mj:> Hi Olaf, > > Since we implemented country blocking, everything seems nicely under > control, with only 'normal levels' of knocking. > > We first have impemented: > http://blog.jeshurun.ca/technology/block-countries-ubuntu-iptables-xtables-geoip > > > Then we did: > https://github.com/firehol/blocklist-ipsetssimply geoip blocking may work at your site but it does not work for many other cases> > And finale iptables rules like these: > >> iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc >> CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP >> iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc >> MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP >> iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc >> MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP >> iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc CR,MZ -j DROP >> >> iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc >> CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP >> iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc >> MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP >> iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc >> MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP >> iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc CR,MZ -j DROP >> >> iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc >> CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP >> iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc >> MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP >> iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc >> MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP >> iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc CR,MZ -j DROP > > I tried to combine the various dports in one single rule, but that > didn't seem to work. Perhaps someone here knows how to combine --match > "geoip" and "multiport" in one single rule? > > Anyway: for us these combined measures did the tric. > > Users in one of the imap-blocked countries will have to use ActiveSync > (works over https), the webmail-interface, or launch the VPN first. > > This works for us. > > Only one thing on my wishlist: application specific passwords. I would > very much appreciate a respond on that thread... (posted yesterday > evening, with a pseudo-dovecot-config file...) > > Hope the above helps you a bit, Olaf. > > MJ > > On 07/25/2017 04:37 PM, Olaf Hopp wrote: >> Hi folks, >> >> "somehow" similar to the thread "under some kind oof attack" started >> by "MJ": >> >> I have dovecot shielded by fail2ban which works fine. >> But since a few days I see many many IPs per day knocking on >> my doors with wron password and/or users. But the rate at which they >> are knocking >> is very very low. So fail2ban will never catch them. >> >> For example one IP: >> >> Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): >> pam(eurodisc,101.231.247.210,<gAulHSNVsNZl5/fS>): unknown user >> Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): >> pam(gergei,101.231.247.210,<dPzYIyRVtOpl5/fS>): pam_authenticate() >> failed: Authentication failure (password mismatch?) >> Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): >> pam(icpe,101.231.247.210,<Ws6t3iRVkOhl5/fS>): unknown user >> Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): >> pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user >> >> Note the timestamps. >> If I look the other way round (tries to one account) I'll get >> >> Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): >> pam(endsulei,60.166.12.117,<slp6mhhViI48pgx1>): unknown user >> Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): >> pam(endsulei,222.243.211.200,<s0+6nBhVabHe89PI>): unknown user >> Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): >> pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user >> Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): >> pam(endsulei,222.84.118.83,<kaE1qCJVn7neVHZT>): unknown user >> Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): >> pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user >> Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): >> pam(endsulei,206.214.0.120,<R5H56CRVdJfO1gB4>): unknown user >> >> Also note the timestamps! >> >> And I see many many distinct IPs per day (a few hundred) trying many >> many existing and non-existings accounts. >> As you see in the timestamps in my examples, this can not be handled >> by fail2ban without affecting >> regular users with typos. >> Is anybody observing something similar ? >> Anybody an idea against this ? >> Many of these observed IPs are chinese mobile IPs, if this matters. >> But we have also chinese students and >> researchers all abroad. >> >> >> Regards, >> Olaf >>Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG, 80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On 2017-07-25 09:37, Olaf Hopp wrote: But the rate at which they> are knocking > is very very low. So fail2ban will never catch them. > > For example one IP: > > Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): > pam(eurodisc,101.231.247.210,<gAulHSNVsNZl5/fS>): unknown user > Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): > pam(gergei,101.231.247.210,<dPzYIyRVtOpl5/fS>): pam_authenticate() > failed: Authentication failure (password mismatch?) > Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): > pam(icpe,101.231.247.210,<Ws6t3iRVkOhl5/fS>): unknown user > Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): > pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown userOSSEC has at least two ways of stopping these: 1. Repeat offenders option: this keeps track of the IP and increases the block time if they come back (within a defined timeframe). 2. You can simply overwrite the rule looking for repeated attempts from the same IP and increase the timeframe option to hours instead of minutes.> Note the timestamps. > If I look the other way round (tries to one account) I'll get > > Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): > pam(endsulei,60.166.12.117,<slp6mhhViI48pgx1>): unknown user > Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): > pam(endsulei,222.243.211.200,<s0+6nBhVabHe89PI>): unknown user > Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): > pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user > Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): > pam(endsulei,222.84.118.83,<kaE1qCJVn7neVHZT>): unknown user > Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): > pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user > Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): > pam(endsulei,206.214.0.120,<R5H56CRVdJfO1gB4>): unknown user > > Also note the timestamps!In this case, it looks like it's coming from several different IPs. If the IPs are in geographic regions which should never have a need to log in, you can deny them preemptively in rules. You can also simply look for any attempt to authenticate to an unknown user and block that. It would be interesting to try to figure out a way to look for deviations from the normal naming convention, or perhaps try to identify something that looks random. There are other options, as well. You can set up a CDB list with known bad IPs and populate them from threat lists of your choice. All around, I think you'll find it much more capable and robust than fail2ban. Disclaimer: I wrote the OSSEC Dovecot ruleset several years ago. I don't know if it is current (but I think it is being maintained).
Dear collegues, many thanks for your valuable input. Since we are an university GEO-IP blocking is not an option for us. Somestimes I think it should ;-) My "mistake" was that I had just *one* fail2ban filter for both cases: "wrong password" and "unknown user". Now I have two distinct jails: The first one just for "wrong password" and here the findtime, bantime, retries are tolerant to typos. And I have a new one just for "unknown user" and here my bantime and findtime are much bigger and the retries are just '2'. So here I'm much harsher. I'll keep an eye on my logs and maybe some more twaeking is necessary. Another interesting observation: I activated auth_verbose_passwords = plain to log the plain password when (and only when) there is "unknown user". It reveals that all different IPs trying one unknown account always try with the same stupid password scheme <ACCOUNT>1234. So this doesn't look very well coordinated between the bots ;-) Regards, Olaf On 07/25/2017 04:37 PM, Olaf Hopp wrote:> Hi folks, > > "somehow" similar to the thread "under some kind oof attack" started by "MJ": > > I have dovecot shielded by fail2ban which works fine. > But since a few days I see many many IPs per day knocking on > my doors with wron password and/or users. But the rate at which they are knocking > is very very low. So fail2ban will never catch them. > > For example one IP: > > Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): pam(eurodisc,101.231.247.210,<gAulHSNVsNZl5/fS>): unknown user > Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): pam(gergei,101.231.247.210,<dPzYIyRVtOpl5/fS>): pam_authenticate() failed: Authentication failure (password mismatch?) > Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): pam(icpe,101.231.247.210,<Ws6t3iRVkOhl5/fS>): unknown user > Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user > > Note the timestamps. > If I look the other way round (tries to one account) I'll get > > Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): pam(endsulei,60.166.12.117,<slp6mhhViI48pgx1>): unknown user > Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): pam(endsulei,222.243.211.200,<s0+6nBhVabHe89PI>): unknown user > Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user > Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): pam(endsulei,222.84.118.83,<kaE1qCJVn7neVHZT>): unknown user > Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user > Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): pam(endsulei,206.214.0.120,<R5H56CRVdJfO1gB4>): unknown user > > Also note the timestamps! > > And I see many many distinct IPs per day (a few hundred) trying many many existing and non-existings accounts. > As you see in the timestamps in my examples, this can not be handled by fail2ban without affecting > regular users with typos. > Is anybody observing something similar ? > Anybody an idea against this ? > Many of these observed IPs are chinese mobile IPs, if this matters. But we have also chinese students and > researchers all abroad. > > > Regards, > Olaf >-- Karlsruher Institut f?r Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakult?t f?r Informatik Dipl.-Geophys. Olaf Hopp - Leitung IT-Dienste - Am Fasanengarten 5, Geb?ude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: Olaf.Hopp at kit.edu atis.informatik.kit.edu www.kit.edu KIT ? Die Forschungsuniversit?t in der Helmholtz-Gemeinschaft Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5304 bytes Desc: S/MIME Cryptographic Signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20170726/a0360d76/attachment.p7s>
On 26/07/2017 10:57, Olaf Hopp wrote:> I'll keep an eye on my logs and maybe some more twaeking is > necessary.Twerking?> So this doesn't look very well coordinated between the bots ;-)Bots are cheap - free, basically, because they are stolen. Most bruteforce attacks are crap; they try the same username/password pair on the same host over and over again. I would like to be able to signal to the bot "Dude, I do not accept username/password pairs - you need a keypair, so give it a rest". But the bots are dumb, because the economic advantage of building a smart one is zero. BTW: I don't think this is on-topic for Dovecot - we seem to be discussing mail-abuse abatement measures, which is a much more general topic. -- Jack.
> On 26 Jul 2017, at 7:57 pm, Olaf Hopp <Olaf.Hopp at kit.edu> wrote: > > Dear collegues, > > many thanks for your valuable input. > > Since we are an university GEO-IP blocking is not an option for us. > Somestimes I think it should ;-) > > My "mistake" was that I had just *one* fail2ban filter for both cases: > "wrong password" and "unknown user". > > Now I have two distinct jails: > The first one just for "wrong password" and here the findtime, bantime, retries > are tolerant to typos. > > And I have a new one just for "unknown user" and here my bantime and findtime > are much bigger and the retries are just '2'. So here I'm much harsher. > I'll keep an eye on my logs and maybe some more twaeking is necessary. > > Another interesting observation: > I activated > auth_verbose_passwords = plain > to log the plain password when (and only when) there is "unknown user". > It reveals that all different IPs trying one unknown account always try with the > same stupid password scheme <ACCOUNT>1234. So this doesn't look very well > coordinated between the bots ;-)Olaf, how do you do this only for the unknown user? Can you share the Dovecot settings? I?m under the same sort of slow distributed attack. Also the two fail2ban jails would be helpful. Thanks, James.
On 07/25/2017 07:54 AM, mj wrote:> Since we implemented country blocking,Please don't do that. Balkanizing the Internet doesn't really benefit anyone, and makes innovation a lot more difficult. Instead, take a look at the fail2ban scenarios in this thread, which solve the actual problem with a precision tool, instead of a hammer. Doug