Hi, Dňa Sun, 18 Jul 2021 06:54:07 +0200 Slavko via mailop <mailop@mailop.org> napísal:
> To see from where they come i did simple Python(3) script, which reads > list of IP from stdin and prints some stats based on GeoLite2 DBs. > When i feed it with IPs parsed from today dovecot's fail2ban log i > can see: Seems to be finished for now. fail2ban will not help with it at all, as no one IP was used more than twice and even very little amount of networks was repeated (little improved script's output): Top 5 of 50 countries: 241 South Korea (KR) 104 Japan (JP) 75 Hong Kong (HK) 40 United States (US) 40 Taiwan (TW) Top 5 of 546 networks: 12 223.16.0.0/14 (9304, HK) 10 219.100.37.0/24 (36599, JP) 8 117.146.0.0/16 (9808, CN) 7 113.252.0.0/14 (9304, HK) 7 221.124.0.0/14 (9304, HK) Top 5 of 697 (total 713) IPs: 2 179.35.122.18 (BR) 2 112.164.147.228 (KR) 2 191.177.186.129 (BR) 2 88.215.95.21 (DE) 2 219.73.72.159 (HK) The only usable way seems to be GoiIP blocking countries, but i afraid that it is wrong way. The whole attack took about 5-6 hours. I will continue to investigate weakforced for future as i feel, that it is not real end, only pause... Anyway, despite of all words about Kerckhoffs's principle, using the same email address as login name seems to be wrong approach (as someone pointed already), because without valid username no password will match and thus knowing username saves 50 % of the attacker work. Thus while username is not secret, not revealing it can help... Of course, to hide username is not (enough) security method. regards -- Slavko http://slavino.sk
pgp7byj4jwJIH.pgp
Description: Digitálny podpis OpenPGP
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
