Re: under another kind of attack

Tue, 25 Jul 2017 07:55:41 -0700 

Hi Olaf,
Since we implemented country blocking, everything seems nicely under control, with only 'normal levels' of knocking. 

We first have impemented:
http://blog.jeshurun.ca/technology/block-countries-ubuntu-iptables-xtables-geoip

Then we did:
https://github.com/firehol/blocklist-ipsets

And finale iptables rules like these:


iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc 
CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP
iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc 
MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP
iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc 
MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP
iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc CR,MZ -j DROP

iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc 
CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP
iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc 
MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP
iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc 
MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP
iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc CR,MZ -j DROP

iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc 
CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP
iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc 
MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP
iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc 
MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP
iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc CR,MZ -j DROP



I tried to combine the various dports in one single rule, but that 
didn't seem to work. Perhaps someone here knows how to combine --match 
"geoip" and "multiport" in one single rule?


Anyway: for us these combined measures did the tric.


Users in one of the imap-blocked countries will have to use ActiveSync 
(works over https), the webmail-interface, or launch the VPN first.


This works for us.


Only one thing on my wishlist: application specific passwords. I would 
very much appreciate a respond on that thread... (posted yesterday 
evening, with a pseudo-dovecot-config file...)


Hope the above helps you a bit, Olaf.

MJ

On 07/25/2017 04:37 PM, Olaf Hopp wrote:

Hi folks,


"somehow" similar to the thread "under some kind oof attack" started by 
"MJ":


I have dovecot shielded by fail2ban which works fine.
But since a few days I see many many IPs per day knocking on

my doors with wron password and/or users. But the rate at which they are 
knocking

is very very low. So fail2ban will never catch them.

For example one IP:


Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): 
pam(eurodisc,101.231.247.210,<gAulHSNVsNZl5/fS>): unknown user
Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): 
pam(gergei,101.231.247.210,<dPzYIyRVtOpl5/fS>): pam_authenticate() 
failed: Authentication failure (password mismatch?)
Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): 
pam(icpe,101.231.247.210,<Ws6t3iRVkOhl5/fS>): unknown user
Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): 
pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user


Note the timestamps.
If I look the other way round (tries to one account) I'll get


Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): 
pam(endsulei,60.166.12.117,<slp6mhhViI48pgx1>): unknown user
Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): 
pam(endsulei,222.243.211.200,<s0+6nBhVabHe89PI>): unknown user
Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): 
pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user
Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): 
pam(endsulei,222.84.118.83,<kaE1qCJVn7neVHZT>): unknown user
Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): 
pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user
Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): 
pam(endsulei,206.214.0.120,<R5H56CRVdJfO1gB4>): unknown user


Also note the timestamps!


And I see many many distinct IPs per day (a few hundred) trying many 
many existing and non-existings accounts.
As you see in the timestamps in my examples, this can not be handled by 
fail2ban without affecting

regular users with typos.
Is anybody observing something similar ?
Anybody an idea against this ?

Many of these observed IPs are chinese mobile IPs, if this matters. But 
we have also chinese students and

researchers all abroad.


Regards,
Olaf























					Reply via email to