Hi all! I registered here only in recent time and this is my first post here (i am sorry, my English is not best)...
In recent days i bother with many login attempt to my personal mail server, which i use for some years. I meet distributed dictionary attack to IMAP server which was partially blocked by my fail2ban with some manual intervention. But attempts to login into SMTP server are less often, thus more difficult to catch. I will shortly describe current situation: They all connects to port 465 (as i do not provide other for logins) and repeats one attempt about every hour (30 - 90 min) any from different IPs. Most of them are known to SpamHaus CSS/XBL, which i use to deny AUTH for them. They waits max. about 10 s to every response (connect, EHLO, AUTH), and then disconnects without QUIT. They disconnect without QUIT to 5xx response to AUTH too. I do not know what accounts/passwords they are trying, as real AUTH doesn't happen. Two or three days ago i decided to extend AUTH response delay to they disconnect before they get reply and to see what happens. This results in burst 8 - 12 attempts every time, again all from different IPs. They are logged and counted by exim's notQUIT ACL, here is excerpt (wrapped manually): 2021-07-17 20:18:02 H=[186.190.163.50] NotQ connection-lost (AS:27953 10.5, N:186.190.163.0/24 1.0, C:AR 40.1) EHLO,AUTH 2021-07-17 20:18:24 H=[202.52.230.206] NotQ connection-lost (AS:4613 2.6, N:202.52.230.0/24 1.0, C:NP 4.3) EHLO,AUTH 2021-07-17 20:18:46 H=[187.62.177.90] NotQ connection-lost (AS:262662 1.0, N:187.62.176.0/21 1.0, C:BR 301.1) EHLO,AUTH 2021-07-17 20:19:14 H=[103.63.29.72] NotQ connection-lost (AS:134888 2.0, N:103.63.29.0/24 2.0, C:IN 46.7) EHLO,AUTH 2021-07-17 20:19:49 H=[45.188.61.3] NotQ connection-lost (AS:269585 1.0, N:45.188.61.0/24 1.0, C:BR 302.1) EHLO,AUTH 2021-07-17 20:20:16 H=[188.112.7.125] NotQ connection-lost (AS:42739 6.9, N:188.112.0.0/18 3.4, C:PL 65.7) EHLO,AUTH 2021-07-17 20:20:47 H=[45.168.31.121] NotQ connection-lost (AS:268052 1.9, N:45.168.31.0/24 1.0, C:BR 303.0) EHLO,AUTH I count ASN (AS:), IP network (N:) and country (C:) by exim's ratelimit facility for 1 week, to get some quick look. Most of them come from Brasil, other top includes India, Poland, Argentina and others. The IP is only rarely used more than once, and as one can see, the IP networks and AS numbers doesn't get high counts too (with some exceptions which i blocked manually). Please, i want ask others if are these (mostly) Brasil attempts know to others too or am i "special" target? Some other questions, which comes to my minds without answers, while perhaps nobody here will/can know right answer, i will ask: - i use blocklist.de IP list to block access on router for years, but i feeling in recent time as it is not as effective as before, can it be related, that i do not see similar attempts before? - have someone similar feeling about blocklist.de effectivity or am i wrong? - some days ago i decide to register my IP with dnswl.org, can it be related? (in really i am not sure, if they start closely before i register or after) And finally, please can someone help me to create fail2ban rule, which will catch network IP from these logs? While i am able to do own f2b rules and actions, i do not know how to catch (and use) network address in them and i cannot find any resource for it. thanks -- Slavko http://slavino.sk
pgpC9pMowkv2z.pgp
Description: Digitálny podpis OpenPGP
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
