Hi, Dňa 17 Jul 2021 20:41:14 -0400 John Levine via mailop <mailop@mailop.org> napísal:
> It appears that Thomas Hochstein via mailop <mai...@ml.th-h.de> said:
> About 12,000 here. It's a botnet, it's not targeting you any more
> than any other random server it can find, and I don't know of any way
> to block it. You can use something like fail2ban to block individual
> IPs but it's a very large botnet.
Thanks a lot for all answers, it helped me to understand that it is not
by some of my mistake, as i always care about own mistakes first...
> The logins are pretty random:
Now the IMAP (dovecot) attack starts again, where i see full failed
logins log. While it seems as different botnet (different IP
sources/countries) i see, that only one account is targeting with
passwords (and its variations) which looks know to me, but i cannot
bring in mid from where ;-) But this current attack seems to be more
massive than previous, as my F2B log shows twice IP blocked yet (and it
grows).
Ad blocklist.de: i update IP list (ipset with timeout) hourly with
adding only new (recent) IPs from this list and count of added IP is
loged. There was times, when script adds hourly about 2500 IP, now it
is adding only about 500 - 600. It doesn't help - i watch on
incoming SYN packets on router and i see very little amount without
SYN+ACK, thus only very little IP are blocked...
Ad fail2ban: it helps, not a lot, but helps. I did some research before
i go to to sleep yesterday, and i found why i do not know how to block
subnets in fail2ban, as it was introduced in its 0.10.5 version, but in
debian stable there is only 0.10.2, but anyway blocking subnets will
help only little more (see stats below).
To see from where they come i did simple Python(3) script, which reads
list of IP from stdin and prints some stats based on GeoLite2 DBs. When
i feed it with IPs parsed from today dovecot's fail2ban log i can see:
Top 5 countries of 33:
75 South Korea (KR)
36 Japan (JP)
25 Hong Kong (HK)
20 China (CN)
18 Taiwan (TW)
Top 5 networks of 220:
7 117.146.0.0/16
4 113.252.0.0/14
4 111.240.0.0/12
3 77.53.0.0/16
3 219.100.37.0/24
Top 5 IPs of 257:
2 191.177.186.129
2 88.215.95.21
2 219.73.72.159
1 37.57.200.229
1 59.8.115.197
I do not know if attachments are allowed here, thus i add it here, if
someone is interested:
import sys
from collections import Counter
import geoip2.database
icnt = Counter()
ccnt = Counter()
ncnt = Counter()
total = 0
maxi = 5
with geoip2.database.Reader('/var/lib/GeoIP/GeoLite2-Country.mmdb') as creader,
\
geoip2.database.Reader('/var/lib/GeoIP/GeoLite2-ASN.mmdb') as areader:
for ip in sys.stdin:
ip = ip.strip()
ctr = creader.country(ip)
asn = areader.asn(ip)
isoc = f"{ctr.country.name} ({ctr.country.iso_code})"
netw = str(asn.network)
icnt[ip] += 1
ccnt[isoc] += 1
ncnt[netw] += 1
total += 1
print(f"\nTop {maxi} countries of {len(ccnt)}:")
for k, v in ccnt.most_common(maxi):
print(" %-3s %s" % (v, k))
print(f"\nTop {maxi} networks of {len(ncnt)}:")
for k, v in ncnt.most_common(maxi):
print(" %-3s %s" % (v, k))
print(f"\nTop {maxi} IPs of {len(icnt)}:")
for k, v in icnt.most_common(maxi):
print(" %-3s %s" % (v, k))
One can tweak the maxi value, if want to see more top items...
regards
--
Slavko
http://slavino.sk
pgpIIQsP66Zyf.pgp
Description: Digitálny podpis OpenPGP
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
