Hi, Dňa 17 Jul 2021 20:41:14 -0400 John Levine via mailop <mailop@mailop.org> napísal:
> It appears that Thomas Hochstein via mailop <mai...@ml.th-h.de> said: > About 12,000 here. It's a botnet, it's not targeting you any more > than any other random server it can find, and I don't know of any way > to block it. You can use something like fail2ban to block individual > IPs but it's a very large botnet. Thanks a lot for all answers, it helped me to understand that it is not by some of my mistake, as i always care about own mistakes first... > The logins are pretty random: Now the IMAP (dovecot) attack starts again, where i see full failed logins log. While it seems as different botnet (different IP sources/countries) i see, that only one account is targeting with passwords (and its variations) which looks know to me, but i cannot bring in mid from where ;-) But this current attack seems to be more massive than previous, as my F2B log shows twice IP blocked yet (and it grows). Ad blocklist.de: i update IP list (ipset with timeout) hourly with adding only new (recent) IPs from this list and count of added IP is loged. There was times, when script adds hourly about 2500 IP, now it is adding only about 500 - 600. It doesn't help - i watch on incoming SYN packets on router and i see very little amount without SYN+ACK, thus only very little IP are blocked... Ad fail2ban: it helps, not a lot, but helps. I did some research before i go to to sleep yesterday, and i found why i do not know how to block subnets in fail2ban, as it was introduced in its 0.10.5 version, but in debian stable there is only 0.10.2, but anyway blocking subnets will help only little more (see stats below). To see from where they come i did simple Python(3) script, which reads list of IP from stdin and prints some stats based on GeoLite2 DBs. When i feed it with IPs parsed from today dovecot's fail2ban log i can see: Top 5 countries of 33: 75 South Korea (KR) 36 Japan (JP) 25 Hong Kong (HK) 20 China (CN) 18 Taiwan (TW) Top 5 networks of 220: 7 117.146.0.0/16 4 113.252.0.0/14 4 111.240.0.0/12 3 77.53.0.0/16 3 219.100.37.0/24 Top 5 IPs of 257: 2 191.177.186.129 2 88.215.95.21 2 219.73.72.159 1 37.57.200.229 1 59.8.115.197 I do not know if attachments are allowed here, thus i add it here, if someone is interested: import sys from collections import Counter import geoip2.database icnt = Counter() ccnt = Counter() ncnt = Counter() total = 0 maxi = 5 with geoip2.database.Reader('/var/lib/GeoIP/GeoLite2-Country.mmdb') as creader, \ geoip2.database.Reader('/var/lib/GeoIP/GeoLite2-ASN.mmdb') as areader: for ip in sys.stdin: ip = ip.strip() ctr = creader.country(ip) asn = areader.asn(ip) isoc = f"{ctr.country.name} ({ctr.country.iso_code})" netw = str(asn.network) icnt[ip] += 1 ccnt[isoc] += 1 ncnt[netw] += 1 total += 1 print(f"\nTop {maxi} countries of {len(ccnt)}:") for k, v in ccnt.most_common(maxi): print(" %-3s %s" % (v, k)) print(f"\nTop {maxi} networks of {len(ncnt)}:") for k, v in ncnt.most_common(maxi): print(" %-3s %s" % (v, k)) print(f"\nTop {maxi} IPs of {len(icnt)}:") for k, v in icnt.most_common(maxi): print(" %-3s %s" % (v, k)) One can tweak the maxi value, if want to see more top items... regards -- Slavko http://slavino.sk
pgpIIQsP66Zyf.pgp
Description: Digitálny podpis OpenPGP
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop