similar to: under some kind of attack

Hi all, If I may, one more question on this subject: I would like to create a fail2ban filer, that scans for these lines: > Jul 20 11:10:09 auth: Info: ldap(user1,60.166.35.162,<cDFXHbxUQgA8piOi>): invalid credentials (given password: password) > Jul 20 11:10:19 auth: Info: ldap(user2,61.53.66.4,<V+nyHbxU+wA9NUIE>): invalid credentials (given password: password) (as you can

I have concoted something that seems to work. And for the archives, this is it: > failregex = auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials \(given password: .+ssword\) > auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials \(given password: 1qaz2wsx\) > auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials \(given password: 123321\)

Am 20.07.2017 um 12:28 schrieb mj: > I have concoted something that seems to work. And for the archives, this > is it: > >> failregex = auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials >> \(given password: .+ssword\) >> auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials >> \(given password: 1qaz2wsx\) >> auth:

Hi Robert, On 07/18/2017 11:43 PM, Robert Schetterer wrote: > i guess not, but typical bots arent using ssl, check it > > however fail2ban sometimes is to slow I have configured dovecot with auth_failure_delay = 10 secs I hope that before the 10 sec are over, dovecot will have logged about the failed login attempt, and fail2ban will have blocked the ip by then. MJ

Hi all, I obtained negative values for AIC and BIC criteria for a particular model that I have developped... I don't remember to have negative values for these crietria for others applications, so I am a little suprised... Could anyone tell me if something is wrong or his conclusion concerning my model? Best regards, Olivier.

I'm trying to use authentcation on a mount on the 2.3RC1 and each time it has to open the auth file it crashes. This is the debug. There is no file named kwscan so I guess it's a error in creating it. icecast crashes when I try to add users or try to load the mount in winamp. [2005-08-30 13:03:13] DBUG admin/admin_handle_request Admin request (/admin/manageauth.xsl) [2005-08-30

I would like to know what exactly does winbind do.? (i have read the documentation but i am yet confused) prior to having winbind incorporated in samba,there was smb, nmb doing the authentication using samba server on linux. so samba acted as file and print server + authentcation server for windows clients including the NT server. NT Server -----> Linux Server (Samba) mswinclient1

I'm trying to map a network drive using my workplace's Win7 laptop to a fileserver at home. The Win7 laptop is joined to the work domain. The fileserver is my own standalone fileserver, not joined to any domain, and is configured to be accessible to everyone without authentcation. I'm not able to get this to work, with varying error messages from Windows ("The account is not

The native authentication methods of openssh are (not counting insecure RhostsRSAAuthentication) 1) public key 2) password For users with home dirs in AFS space, method 1) does not work. Except with (non foolproof) fiddling on the access controls within the home directory. This might lead to security issues when done by inexperienced users. Without some work, only 2) remains. Being forced to send

Am 18.07.2017 um 21:44 schrieb mj: > Hi all, > > It seems we are under some kind of password guessing attack: > >> Jul 18 21:33:33 auth: Info: >> ldap(username1,103.6.223.61,<W7wLl5xUfABnBt89>): invalid credentials >> (given password: 1q2w3e4r5t) >> Jul 18 21:34:16 auth: Info: >> ldap(username1,221.4.61.180,<89WnmZxUrADdBD20>): invalid

On Tue, 18 Jul 2017, dovecot-request at dovecot.org wrote: > Thanks for the quick follow-ups! Much appreciated. After posting this, I > immediately started working on fail2ban. And between my initial posting > and now, fail2ban already blocked 114 IPs. > > I have fail2ban with maxretry=1 and bantime=1800 > > However, it seems almost all IPs are different, and I don't

Hi Robert, On 07/18/2017 10:15 PM, mj wrote: > Robert, your iptables suggestions are _very_ interesting! However, will > they also work on imaps/993, because of the ssl? I have adjusted and put into place your iptables suggestion like this: > iptables -I INPUT -p tcp --dport 143 -m string --algo bm --string '1q2w3e4r' -j DROP > iptables -I INPUT -p tcp --dport 993 -m string

On 19/07/2017 11:23, mj wrote: > Hi Robert, > > On 07/18/2017 11:43 PM, Robert Schetterer wrote: >> i guess not, but typical bots arent using ssl, check it >> >> however fail2ban sometimes is to slow > > I have configured dovecot with > auth_failure_delay = 10 secs > > I hope that before the 10 sec are over, dovecot will have logged about the >

mj <lists at merit.unu.edu> writes: >>> However, it seems almost all IPs are different, and I don't think I can >>> keep the above settings permanently. >> >> Why not? Limited by firewall rules overload? You could probably use >> a persistent DB, can't you? > > I meant: keep the "block after the first failed attempt" setting.

Hi Robert, > i dont understand why you focused on that ldap strings > fail2ban should trigger on some "Authentication failure" regex in the > related syslog > > perhaps this will help to make it more clear > > http://www.stefan-seelmann.de/wiki/fail2ban#postfix-and-dovecot Yes, but I have that as well. :-) I wanted two kinds of blockings: #1: Everybody trying

Am 20.07.2017 um 20:03 schrieb mj: > Hi Robert, > >> i dont understand why you focused on that ldap strings >> fail2ban should trigger on some "Authentication failure" regex in the >> related syslog >> >> perhaps this will help to make it more clear >> >> http://www.stefan-seelmann.de/wiki/fail2ban#postfix-and-dovecot > > Yes, but I

mj <lists at merit.unu.edu> wrote: > - for external users, to ONLY be allowed to use an application specific > password. (or username and password, fine as well) > > Step one: making ldap password authentication valid only from our > internal network. I though: using allow_nets=192.168.1.0/24 for that passdb > > But I can't get that to work. :-( Unsure where exactly

"mourik jan c heupink" <lists at merit.unu.edu> writes: > On 07/24/2017 04:51 AM, Joseph Tam wrote:> You are essentially writing your own backend by taking over >> authentication. You'll be accepting user/password inputs into your >> checkpassword executable, then use the LDAP API (or some other system...snip >> and source address, which will be

Olaf Hopp <Olaf.Hopp at kit.edu> writes: > I have dovecot shielded by fail2ban which works fine. But since a few > days I see many many IPs per day knocking on my doors with wron > password and/or users. But the rate at which they are knocking is very > very low. So fail2ban will never catch them. Slow roll distributed attacks. Really hard to stop. > And I see many many

Olaf Hopp <Olaf.Hopp at kit.edu> wrote: > And I have a new one just for "unknown user" and here my bantime and findtime > are much bigger and the retries are just '2'. So here I'm much harsher. > I'll keep an eye on my logs and maybe some more twaeking is necessary. Just be careful about typos (like twaeking!): users could simply misspell their username,