ot: how to block persistent same invalid account, different IPs

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

ot: how to block persistent same invalid account, different IPs

Voytek Eymont
I've installed fail2ban, it seems to be working as it identified my failed
test logins, BUT, my question is:

what can I do when I see same invalid name trying to login to dovecot,
different IP each time, how can I say block each IP as used by this name ?
or it that a bad idea ?

I can see two persistent attempts as so:

I don't have such user 'ignacio' or 'julian'

#  grep ignacio.munoz  /var/log/dovecot.log | wc
    178    3436   35624
#  grep ignacio.munoz  /var/log/dovecot.log | grep 'auth fail' | wc
    178    3436   35624

#  grep julian  /var/log/dovecot.log | wc
    178    3432   34321
#  grep julian  /var/log/dovecot.log | grep 'auth fail' | wc
    178    3432   34321


last 6 tries, sometimes have just : <ignacio.munoz>, sometimes, with tld

Dec 22 17:00:33 imap-login: Info: Disconnected (auth failed, 1 attempts in
8 secs): user=<[hidden email]>, method=PLAIN, rip=157.122.183.218,
lip=163.47.110.6, TLS, session=<Z4JniOdgkgCderfa>
Dec 22 17:01:06 imap-login: Info: Disconnected (auth failed, 1 attempts in
7 secs): user=<ignacio.munoz>, method=PLAIN, rip=60.172.162.2,
lip=163.47.110.6, TLS, session=<CsdriudgWAA8rKIC>
Dec 22 18:58:26 imap-login: Info: Disconnected (auth failed, 1 attempts in
10 secs): user=<[hidden email]>, method=PLAIN, rip=60.30.224.189,
lip=163.47.110.6, TLS: Disconnected, session=<kvLWLelg0QA8HuC9>
Dec 22 18:58:59 imap-login: Info: Disconnected (auth failed, 1 attempts in
7 secs): user=<ignacio.munoz>, method=PLAIN, rip=220.164.2.138,
lip=163.47.110.6, TLS: Disconnected, session=<T7T5L+lgRADcpAKK>
Dec 22 19:30:28 imap-login: Info: Disconnected (auth failed, 1 attempts in
6 secs): user=<[hidden email]>, method=PLAIN, rip=113.8.194.3,
lip=163.47.110.6, TLS, session=<jfSgoOlgswBxCMID>
Dec 22 19:31:09 imap-login: Info: Disconnected (auth failed, 1 attempts in
6 secs): user=<ignacio.munoz>, method=PLAIN, rip=58.210.119.226,
lip=163.47.110.6, TLS, session=<moAVo+lg8gA60nfi>





--
Voytek

Reply | Threaded
Open this post in threaded view
|

Re: ot: how to block persistent same invalid account, different IPs

Jeff Abrahamson
On 22/12/17 11:41, Voytek Eymont wrote:

> I've installed fail2ban, it seems to be working as it identified my failed
> test logins, BUT, my question is:
>
> what can I do when I see same invalid name trying to login to dovecot,
> different IP each time, how can I say block each IP as used by this name ?
> or it that a bad idea ?
>
> I can see two persistent attempts as so:
>
> I don't have such user 'ignacio' or 'julian'
>
> #  grep ignacio.munoz  /var/log/dovecot.log | wc
>      178    3436   35624
> #  grep ignacio.munoz  /var/log/dovecot.log | grep 'auth fail' | wc
>      178    3436   35624
>
> #  grep julian  /var/log/dovecot.log | wc
>      178    3432   34321
> #  grep julian  /var/log/dovecot.log | grep 'auth fail' | wc
>      178    3432   34321
>
>
> last 6 tries, sometimes have just : <ignacio.munoz>, sometimes, with tld
>
> Dec 22 17:00:33 imap-login: Info: Disconnected (auth failed, 1 attempts in
> 8 secs): user=<[hidden email]>, method=PLAIN, rip=157.122.183.218,
> lip=163.47.110.6, TLS, session=<Z4JniOdgkgCderfa>
> Dec 22 17:01:06 imap-login: Info: Disconnected (auth failed, 1 attempts in
> 7 secs): user=<ignacio.munoz>, method=PLAIN, rip=60.172.162.2,
> lip=163.47.110.6, TLS, session=<CsdriudgWAA8rKIC>
> Dec 22 18:58:26 imap-login: Info: Disconnected (auth failed, 1 attempts in
> 10 secs): user=<[hidden email]>, method=PLAIN, rip=60.30.224.189,
> lip=163.47.110.6, TLS: Disconnected, session=<kvLWLelg0QA8HuC9>
> Dec 22 18:58:59 imap-login: Info: Disconnected (auth failed, 1 attempts in
> 7 secs): user=<ignacio.munoz>, method=PLAIN, rip=220.164.2.138,
> lip=163.47.110.6, TLS: Disconnected, session=<T7T5L+lgRADcpAKK>
> Dec 22 19:30:28 imap-login: Info: Disconnected (auth failed, 1 attempts in
> 6 secs): user=<[hidden email]>, method=PLAIN, rip=113.8.194.3,
> lip=163.47.110.6, TLS, session=<jfSgoOlgswBxCMID>
> Dec 22 19:31:09 imap-login: Info: Disconnected (auth failed, 1 attempts in
> 6 secs): user=<ignacio.munoz>, method=PLAIN, rip=58.210.119.226,
> lip=163.47.110.6, TLS, session=<moAVo+lg8gA60nfi>

fail2ban isn't really the right tool to fight massive DDOS attacks.  On
the other hand, you don't seem to have that problem, so things work out
maybe.

It's cleaner to know the future and ban the right things at the right
times, but is there real harm from people trying bad logins from
different IP's and you just wait for fail2ban to block each one?  Your
log snippet covers 151 minutes, even fail2ban would normally have
unjailed ip's after that much time.

--

Jeff Abrahamson
+33 6 24 40 01 57
+44 7920 594 255
https://www.p27.eu/jeff/

purple.com -> p27.eu

Reply | Threaded
Open this post in threaded view
|

Re: ot: how to block persistent same invalid account, different IPs

Marcus Rueckert-3
On 2017-12-22 13:23, Jeff Abrahamson wrote:
> fail2ban isn't really the right tool to fight massive DDOS attacks. 
> On the other hand, you don't seem to have that problem, so things work
> out maybe.
>
> It's cleaner to know the future and ban the right things at the right
> times, but is there real harm from people trying bad logins from
> different IP's and you just wait for fail2ban to block each one?  Your
> log snippet covers 151 minutes, even fail2ban would normally have
> unjailed ip's after that much time.

https://wiki2.dovecot.org/Authentication/Policy
https://github.com/PowerDNS/weakforced

works much better imho.