Project

General

Profile

Enhancement #745

ban IPs that try to authenticate with a nonexistent user

Added by Pierre-Louis Bonicoli 7 days ago. Updated 7 days ago.

Status:
New
Priority:
Normal
Category:
System :: Base
Start date:
2021-11-24
Due date:
% Done:

0%

Estimated time:
Patch Available:
Confirmed:
No
Branch:
Entity:
DuckCorp
Security:
Help Needed:

Description

Fail2ban should block the following attemps:

Nov 24 15:06:46 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user
Nov 24 15:07:00 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user
Nov 24 15:07:20 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user
Nov 24 15:07:30 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user
Nov 24 15:07:44 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user
Nov 24 15:08:04 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user

Some numbers in order to support the new filter (the oldest entry in the journal is 7 days old):

root@Toushirou:~# # count all entries
root@Toushirou:~# journalctl  -g '(auth:.*unknown)'  | wc -l
5032
root@Toushirou:~# # check the regex
root@Toushirou:~# journalctl  -g '(auth:.*unknown)'  | sed -n 's/.*ldap([^,]\+,\([^,)]\+\)\(,<[^>]\+>\)\?):.*/\1/p' | sort | uniq -c | sort -nr  | awk '{print $1}' | paste -sd+ | bc
5029
root@Toushirou:~# # display the most used IPs
root@Toushirou:~# journalctl  -g '(auth:.*unknown)'  | sed -n 's/.*ldap([^,]\+,\([^,)]\+\)\(,<[^>]\+>\)\?):.*/\1/p' | sort | uniq -c | sort -nr  | awk '{print $1}' | head -n 10
741
566
467
362
307
182
177
174
167
161
# There are 697 different IPs, the twenty most used produce 85% of the login failure.

History

#1

Updated by Pierre-Louis Bonicoli 7 days ago

  • Description updated (diff)
#2

Updated by Pierre-Louis Bonicoli 7 days ago

  • Description updated (diff)

Also available in: Atom PDF