Their is more and more reasons to use 3rd party network reputation at
the authentication level. While our platforms have pretty sophisticated
combination, that includes of course transparent 2FA, but a very
granular set of rules for stopping BEC (Business Email Compromise), and
dropping obvious attacks into the firewall (ipset) but not meaning to be
blowing our own horn, just pointing out that while this problems is a
multi-layer approach, there are SOME things everyone can do...
* Use services like RATS-AUTH to block IPs that can safely be blocked as
known hackers..
* Use services like RATS-NULL (or SpamHaus DROP lists) right in the
firewall level. There are SOME networks that should simply be 'unplugged'
* Block authentication from certain cloud platforms
Very few mail servers have authentication from Azure, GoogleCloud, AWS,
Digital Ocean and several others.. Your clients are using using their
phones, offices, and home connections. You can always exempt blocking
for the 'odd' client/customer IP that needs to relay from a cloud server.
* Turn off port 110 (well, all plain text authentication) 90% less email
compromise reports when you do..
If you want more helpful tips, you can always ping me off list, and if I
have time, can offer some advice. BEC compromise is still one of the
biggest threats..
...
Nice to see Dovecot also following in our footsteps and looking at
things like JA3 and other network level identifiers .. many windows
botnets and routers botnets can be thwarted or at least identified
without having to risk blocking shared IPs..
Fail2ban has been a great tool for many years for many people and
purposes, but a lot more logic is needed now in that layer to safer
block authentication attacks.
Hope this message helps members of the list. Some things should be made
to help everyone, no matter what kind of email platform they use..
-- Michael, Happy Summer Solstice --
eg.. IPs you can't block, but individual connections you can..
grep Marai mail.info | wc -l == 14485
On 2023-06-22 04:58, André Rodier via dovecot wrote:
Hello, all.
I just set-up a new server, running postfix, with submission(s)
activated on standard ports (587, 465)
Shortly after it has been setup, I see brute force attacks (not
surprising) from a whole /24 network (more surprising).
I carefully checked the logs, and see the modus operandi, which
basically loop across the IP addresses in the network,
to avoid being blacklisted by tools like fail2ban. And it is true, even
with fail2ban activated, no IP is blacklisted.
By activating verbose logging, I see multiple user names are tried, not
only passwords.
Is there any way, with postfix, to run a script on authentication
failure, with information like the IP address and the
username passed, for instance.
I basically need features that fail2ban doesn't offer
- I would like to not rely on reading logs, removing one step and acting
more pro-actively.
- If a script is called on authentication failure, it is fairly easy to
use a Levenshtein distance to differentiate
between a user having lost his password and a brute force attack.
- If I log all the failure in a database, with the IP address, and the
whois information, the script would take decision
according to the whois information.
What are you using on your side ?
- Do you know any service, that I could use, to get the network to ban
from an IP address reputation, something like
crowdsec, for instance ?
- Anyone has success with Suricata, Snort, or a tool like this ?
Please, do not suggest third party hosted services, I want to be part of
my self-hosting solution.
Kind regards,
André
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
