Am 25.07.2017 um 16:37 schrieb Olaf Hopp: > Hi folks, > > "somehow" similar to the thread "under some kind oof attack" started by > "MJ": > > I have dovecot shielded by fail2ban which works fine. > But since a few days I see many many IPs per day knocking on > my doors with wron password and/or users. But the rate at which they are > knocking > is very very low. So fail2ban will never catch them. > > For example one IP: > > Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): > pam(eurodisc,101.231.247.210,<gAulHSNVsNZl5/fS>): unknown user > Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): > pam(gergei,101.231.247.210,<dPzYIyRVtOpl5/fS>): pam_authenticate() > failed: Authentication failure (password mismatch?) > Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): > pam(icpe,101.231.247.210,<Ws6t3iRVkOhl5/fS>): unknown user > Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): > pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user > > Note the timestamps. > If I look the other way round (tries to one account) I'll get > > Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): > pam(endsulei,60.166.12.117,<slp6mhhViI48pgx1>): unknown user > Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): > pam(endsulei,222.243.211.200,<s0+6nBhVabHe89PI>): unknown user > Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): > pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user > Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): > pam(endsulei,222.84.118.83,<kaE1qCJVn7neVHZT>): unknown user > Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): > pam(endsulei,101.231.247.210,<dceL5SRVGZVl5/fS>): unknown user > Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): > pam(endsulei,206.214.0.120,<R5H56CRVdJfO1gB4>): unknown user > > Also note the timestamps! > > And I see many many distinct IPs per day (a few hundred) trying many > many existing and non-existings accounts. > As you see in the timestamps in my examples, this can not be handled by > fail2ban without affecting > regular users with typos. > Is anybody observing something similar ?
all the time ,since years, in my case its always schema user xyz.abc in my case all username without @ could be dropped at once a regex deny should be fine, but i havent implemented/thinked of it cause it comming in small waves and mostly fail2ban stops it soon > Anybody an idea against this ? > Many of these observed IPs are chinese mobile IPs, if this matters. But > we have also chinese students and > researchers all abroad. > > > Regards, > Olaf > Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
