Hi Hadmut (and list :-)),I've been part of a team working on an open source monitoring tool specialized on Postfix called Lightmeter and one of the features we are working at the moment are brute force attack analysis.
We are on early development stages of the feature, looking for feedback and suggestions.
Our approach consists on analyzing activity contributed by multiple users for local and global patterns and sources of attacks, ultimately automating the blocking of such sources as preventive measure.
At the moment we use the Postfix log files to analyze such activity.The logs are processed by Lightmeter locally and some compiled data from it sent to our servers for the analysis.
On the past days we've been doing some experiments and implemented a simple visualization tool into Lightmeter that shows failed authentication attempts over time, alongside with their IP addresses.
It's a very simple feature for now, as we plan to continue iterating to improve it.
I've recorded a short video [1] showing how the feature looks at the moment.It's not yet released, but the source code is available on our repository [2].
The ideas we are evaluating and experimenting are:- Providing ways to automatically detect potential (and successful, if we miss them) attacks, notifying the sysadmin about such breaches in real time.
- Automatically blocklisting the detected IP addresses. - Providing a tool for allowlisting IP addresses previously blocked.- Detect that connections from multiple origins are part of the same attack attempts, potentially uncovering different organizations and IP groups often used by attacks.
- Jump to the log line relative to that connection when clicking on a connection in the graph, for detailed analysis. This is done using an embedded log viewer.
We would be glad if you folks could test the feature and let us know your thoughts, concerns, wishes, ideas for improvement or feedback in general.
[1] https://www.youtube.com/watch?v=r2l-xF-8zJE [2] https://gitlab.com/lightmeter/controlcenter/ On 7/30/21 4:49 PM, Hadmut Danisch wrote:
Hi, we are experiencing permanent high traffic from numerous sites trying to smtp auth to our postfix node, obviously trying to brute force password dictionaries against mail address lists probably taken from spam lists (including lots of oder message ids with the same syntax as mail addresses). For some reason beyond the common noise we need to do some deeper analysis about who is trying which user account from where. Unfortunately, the required data, i.e. client IP address and username are distributed in different log files. The IP address is written to postfix's log, while the username is in saslauthd's log in case of failure, with the time stamp as the only link between both. Is there some best current practice or recommended log config to analyze persistent login attempts? (We are considering to limit smtp auth to the submission port 587 and have a blacklist for that in the firewall, but maintaining such a blacklist still requires to understand, who is attacking and how.) regards Hadmut
-- Regards, Leandro Santiago Software Craftsman at Lightmeter https://lightmeter.io
OpenPGP_0xAB5F702209190A96.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
