Project

General

Profile

Actions

Enhancement #745

open

ban IPs that try to authenticate with a nonexistent user

Added by Pierre-Louis Bonicoli about 3 years ago. Updated over 2 years ago.

Status:
New
Priority:
Normal
Category:
System :: Base
Start date:
2021-11-24
Due date:
% Done:

0%

Estimated time:
Patch Available:
Confirmed:
No
Branch:
Entity:
DuckCorp
Security:
Help Needed:

Description

Fail2ban should block the following attemps:

Nov 24 15:06:46 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user
Nov 24 15:07:00 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user
Nov 24 15:07:20 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user
Nov 24 15:07:30 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user
Nov 24 15:07:44 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user
Nov 24 15:08:04 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user

Some numbers in order to support the new filter (the oldest entry in the journal is 7 days old):

root@Toushirou:~# # count all entries
root@Toushirou:~# journalctl  -g '(auth:.*unknown)'  | wc -l
5032
root@Toushirou:~# # check the regex
root@Toushirou:~# journalctl  -g '(auth:.*unknown)'  | sed -n 's/.*ldap([^,]\+,\([^,)]\+\)\(,<[^>]\+>\)\?):.*/\1/p' | sort | uniq -c | sort -nr  | awk '{print $1}' | paste -sd+ | bc
5029
root@Toushirou:~# # display the most used IPs
root@Toushirou:~# journalctl  -g '(auth:.*unknown)'  | sed -n 's/.*ldap([^,]\+,\([^,)]\+\)\(,<[^>]\+>\)\?):.*/\1/p' | sort | uniq -c | sort -nr  | awk '{print $1}' | head -n 10
741
566
467
362
307
182
177
174
167
161
# There are 697 different IPs, the twenty most used produce 85% of the login failure.

Actions #1

Updated by Pierre-Louis Bonicoli about 3 years ago

  • Description updated (diff)
Actions #2

Updated by Pierre-Louis Bonicoli about 3 years ago

  • Description updated (diff)
Actions #3

Updated by Marc Dequènes over 2 years ago

Indeed, adding a new filter would be nice.

Actions

Also available in: Atom PDF