search for: 1q2w3e4r

Hi all, It seems we are under some kind of password guessing attack: > Jul 18 21:33:33 auth: Info: ldap(username1,103.6.223.61,<W7wLl5xUfABnBt89>): invalid credentials (given password: 1q2w3e4r5t) > Jul 18 21:34:16 auth: Info: ldap(username1,221.4.61.180,<89WnmZxUrADdBD20>): invalid credentials (given password: 1q2w3e4r5t) > Jul 18 21:36:13 auth: Info: ldap(username2,117.243.180.225,<ESWBoJxUdQB187Th>): invalid credentials (given password: 1q2w3e4r) > Jul 18 21:36:50...

...Am 18.07.2017 um 21:44 schrieb mj: >> Hi all, >> >> It seems we are under some kind of password guessing attack: >> >>> Jul 18 21:33:33 auth: Info: >>> ldap(username1,103.6.223.61,<W7wLl5xUfABnBt89>): invalid credentials >>> (given password: 1q2w3e4r5t) >>> Jul 18 21:34:16 auth: Info: >>> ldap(username1,221.4.61.180,<89WnmZxUrADdBD20>): invalid credentials >>> (given password: 1q2w3e4r5t) >>> Jul 18 21:36:13 auth: Info: >>> ldap(username2,117.243.180.225,<ESWBoJxUdQB187Th>): invalid >&...

Am 18.07.2017 um 21:44 schrieb mj: > Hi all, > > It seems we are under some kind of password guessing attack: > >> Jul 18 21:33:33 auth: Info: >> ldap(username1,103.6.223.61,<W7wLl5xUfABnBt89>): invalid credentials >> (given password: 1q2w3e4r5t) >> Jul 18 21:34:16 auth: Info: >> ldap(username1,221.4.61.180,<89WnmZxUrADdBD20>): invalid credentials >> (given password: 1q2w3e4r5t) >> Jul 18 21:36:13 auth: Info: >> ldap(username2,117.243.180.225,<ESWBoJxUdQB187Th>): invalid >> credentials (giv...

...ieb mj: >>> Hi all, >>> >>> It seems we are under some kind of password guessing attack: >>> >>>> Jul 18 21:33:33 auth: Info: >>>> ldap(username1,103.6.223.61,<W7wLl5xUfABnBt89>): invalid credentials >>>> (given password: 1q2w3e4r5t) >>>> Jul 18 21:34:16 auth: Info: >>>> ldap(username1,221.4.61.180,<89WnmZxUrADdBD20>): invalid credentials >>>> (given password: 1q2w3e4r5t) >>>> Jul 18 21:36:13 auth: Info: >>>> ldap(username2,117.243.180.225,<ESWBoJxUdQB187Th...

...10:15 PM, mj wrote: > Robert, your iptables suggestions are _very_ interesting! However, will > they also work on imaps/993, because of the ssl? I have adjusted and put into place your iptables suggestion like this: > iptables -I INPUT -p tcp --dport 143 -m string --algo bm --string '1q2w3e4r' -j DROP > iptables -I INPUT -p tcp --dport 993 -m string --algo bm --string '1q2w3e4r' -j DROP However, I don't think it's working, as the login attempts just keep coming. Probably the reason is: smtp is plain text, and imap TLS/SSL is not, so the rules never get triggere...

...'/usr/bin/passwd papa' as password change program. [2000/03/04 21:58:22, 100] smbd/chgpasswd.c:talktochild(263) talktochild: chatbuf=[*] responsebuf=[Changing password for user papa New UNIX password: ] [2000/03/04 21:58:22, 100] smbd/chgpasswd.c:talktochild(276) talktochild: sendbuf=[1q2w3e4r ] [2000/03/04 21:58:22, 100] smbd/chgpasswd.c:talktochild(263) talktochild: chatbuf=[*password: ] responsebuf=[ Retype new UNIX password: ] [2000/03/04 21:58:22, 100] smbd/chgpasswd.c:talktochild(276) talktochild: sendbuf=[1q2w3e4r ] Everything goes fine until here!!!! [2000/03/04 21:58...

Hi all, If I may, one more question on this subject: I would like to create a fail2ban filer, that scans for these lines: > Jul 20 11:10:09 auth: Info: ldap(user1,60.166.35.162,<cDFXHbxUQgA8piOi>): invalid credentials (given password: password) > Jul 20 11:10:19 auth: Info: ldap(user2,61.53.66.4,<V+nyHbxU+wA9NUIE>): invalid credentials (given password: password) (as you can

...auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials \(given password: 123321\) > auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials \(given password: 1234567890\) > auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials \(given password: 1q2w3e4r.+\) It's still reactive, and not pro-active. All the other suggestions are very much appreciated, including weakforced, however implementing that is a much larger project. Next I have to find out how to feed my fail2ban logs back to blocklist.de, to improve their mail.txt hit rate. Thanks...

...HOST>,.+\): invalid credentials >> \(given password: 123321\) >> auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials >> \(given password: 1234567890\) >> auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials >> \(given password: 1q2w3e4r.+\) > > It's still reactive, and not pro-active. > > All the other suggestions are very much appreciated, including > weakforced, however implementing that is a much larger project. i dont understand why you focused on that ldap strings fail2ban should trigger on some "Au...

.../password: 19 times webmaster/password: 19 times 0m0n0b0v/password: 18 times 1z2x3c4v/password: 18 times cvs/password: 18 times jack/password: 18 times web/password: 18 times 1p2o3i4u5y/password: 17 times 1q2w3e1q2w3e/password: 17 times 1q2w3e4r/password: 17 times a1s2d3/password: 17 times 1p2o3i4u/password: 16 times linux/password: 16 times oracle/password: 16 times 1asd2asd3asd/password: 15 times 1l2k3j4h/password: 15 times 1qaz2wsx/password: 15 times adam/password: 15 times...