Thanks Tom, that's a great suggestion.
Have I left anything out, or does that setup look like it would work?
I'm thinking perhaps I also needed to copy any base definitions for
[dovecot] to the alternate definition in jail.local?
I just want to make sure if I want to copy and rename an existing
rule to add a custom one of my own, I'm not missing any part of the process?
At 02:34 AM 3/4/2019, Tom Hendrikx wrote:
On 04-03-19 00:01, Mike wrote:
I am seeing various entries in my secure log like:
Mar 3 05:23:58 sd2 auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot
[email protected] rhost=178.252.80.73
Mar 3 05:23:58 sd2 auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot
[email protected] rhost=178.252.80.73
Mar 3 05:23:58 sd2 auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot
[email protected] rhost=178.252.80.73
All of these are invalid attempts to probe IMAP/POP3 obviously.
What I want to do is create a set of rules that ban IPs based,
after one try, on certain login credentials they're using for
Dovecot. The rules would follow these basic steps:
1. Ban any failed POP3/IMAP attempt to login attempt using the
name "svetlana" prefix (I don't have anybody by that name on my
server, and I can see a bot is adding extra numbers and random
domains, presumably to prove for other vulnerabilities during login)
2. Ban any instance of a login attempt of webmaster@(any domain)
since any accounts like that are aliases and not actual mailboxes.
3. Ban any instance of a login attempt of
[email protected] because that domain is either not
mapped to this server, or has no IMAP/POP3 accounts associated with it.
Am I correct in assuming that in order to do this, I can do the
following steps?
1. copy filter.d/dovecot.conf to another name like
filter.d/dovecot-honeypot.conf
2. then make a copy of the [dovecot] configuration in jail.local
but rename [dovecot] to [dovecot-honeypot] and tweak bantime appropriately
3. modify filter.d/dovecot-honeypot.conf and make these the rules
under failregex =:
^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=svetlana\S*
rhost=<HOST>(?:\s+user=\S*)?\s*$
^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot
ruser=webmaster@\S* rhost=<HOST>(?:\s+user=\S*)?\s*$
^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot
ruser=\S*@specificdomain.com rhost=<HOST>(?:\s+user=\S*)?\s*$
Would this be the proper approach towards implementing this
additional filter?
This list quickly grows in an unreadable mess, with a regex for each
name. Since you're already using regexes, why don't you use something like:
^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot
ruser=(svetlana|webmaster|another)@\S* rhost=<HOST>(?:\s+user=\S*)?\s*$
^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot
ruser=\S*@(specificdomain.com|example.org|anotherexample.com)
rhost=<HOST>(?:\s+user=\S*)?\s*$
I.e. one regex for all user parts before the @, and one other regex
for all domains you want to block.
Am I leaving something out?
Is there anything else I need to consider?
You're talking about honeypot here, but most people think aboout a
different kind of setup when they read 'honeypot setup', so be
careful in your naming.
Thanks!
- Mike
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
