Hi,
Got some time to dig into this, in my case I want to protect a SFTP
server, so pam-generic is my start point. Here is what I did:
cd /etc/fail2ban
cp filter.d/pam-generic.conf filter.d/pam-single.conf
vi filter.d/pam-single.conf
There I just added an interpolation string with the users I DO NOT want
to even try my server to ease administration and changed failregex like
this:
_banusers =
admin|root|ftp|support|test|ftpuser|ubuntu|nagios|applmgr|zimbra|ubnt|osmc|nathan|kraft|bananapi|Administrator|zachary|webmaster|pi
failregex = ^ruser= rhost=<HOST>\s+user=(%(_banusers)s)$
And finally:
vi jail.d/pam-single.local
[pam-single]
enabled = true
maxretry = 1
filter = pam-single
action = iptables-allports[name=Honeypot, protocol=all]
logpath = /var/log/auth.log
Testing the result with:
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/pam-single.conf
Gives me Lines: 9217 lines, 0 ignored, 86 matched, 9131 missed
Got the initial real user list with the command below, will improve over
time according to future occurrences:
grep "Invalid user" /var/log/auth.log | awk '{print $8}' | sort -n |
uniq -c | sort -n
Will test over the next days and post here if any change is needed.
Thanks for any improvement.
Best regards.
Em 21/03/2019 00:59, Mike escreveu:
At 06:46 AM 3/19/2019, Marcio Vogel Merlone dos Santos wrote:
Content-Type: multipart/alternative;
boundary="------------ED186ACA71AF6AA461515FDF"
Content-Language: en-US
I am very limited in time, but I'm in. Where do we start?
I posted this a few weeks back, looking to fine-tune a honeypot
configuration.. Here's what I proposed:
I am seeing various entries in my secure log like:
Mar 3 05:23:58 sd2 auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot
[email protected] rhost=178.252.80.73
Mar 3 05:23:58 sd2 auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot
[email protected] rhost=178.252.80.73
Mar 3 05:23:58 sd2 auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot
[email protected] rhost=178.252.80.73
All of these are invalid attempts to probe IMAP/POP3 obviously.
What I want to do is create a set of rules that ban IPs based, after
one try, on certain login credentials they're using for Dovecot. The
rules would follow these basic steps:
1. Ban any failed POP3/IMAP attempt to login attempt using the name
"svetlana" prefix (I don't have anybody by that name on my server,
and I can see a bot is adding extra numbers and random domains,
presumably to prove for other vulnerabilities during login)
2. Ban any instance of a login attempt of webmaster@(any domain)
since any accounts like that are aliases and not actual mailboxes.
3. Ban any instance of a login attempt of
[email protected] because that domain is either not mapped
to this server, or has no IMAP/POP3 accounts associated with it.
Am I correct in assuming that in order to do this, I can do the
following steps?
1. copy filter.d/dovecot.conf to another name like
filter.d/dovecot-honeypot.conf
2. then make a copy of the [dovecot] configuration in jail.local but
rename [dovecot] to [dovecot-honeypot] and tweak bantime appropriately
3. modify filter.d/dovecot-honeypot.conf and make these the rules
under failregex =:
^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=svetlana\S*
rhost=<HOST>(?:\s+user=\S*)?\s*$
^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=webmaster@\S*
rhost=<HOST>(?:\s+user=\S*)?\s*$
^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot
ruser=\S*@specificdomain.com rhost=<HOST>(?:\s+user=\S*)?\s*$
Would this be the proper approach towards implementing this
additional filter?
Am I leaving something out?
Is there anything else I need to consider?
Thanks!
- Mike
--
*Marcio Merlone*
TI - Administrador de redes
*A1 Engenharia - Unidade Corporativa*
Fone: +55 41 3616-3797
Cel: +55 41 99689-0036
https://a1.ind.br/ <https://a1.ind.br>
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
