Actions
Enhancement #745
open
ban IPs that try to authenticate with a nonexistent user
Start date:
2021-11-24
Due date:
% Done:
0%
Estimated time:
Patch Available:
Confirmed:
No
Branch:
Entity:
DuckCorp
Security:
Help Needed:
Description
Fail2ban should block the following attemps:
Nov 24 15:06:46 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user Nov 24 15:07:00 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user Nov 24 15:07:20 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user Nov 24 15:07:30 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user Nov 24 15:07:44 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user Nov 24 15:08:04 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user
Some numbers in order to support the new filter (the oldest entry in the journal is 7 days old):
root@Toushirou:~# # count all entries
root@Toushirou:~# journalctl -g '(auth:.*unknown)' | wc -l
5032
root@Toushirou:~# # check the regex
root@Toushirou:~# journalctl -g '(auth:.*unknown)' | sed -n 's/.*ldap([^,]\+,\([^,)]\+\)\(,<[^>]\+>\)\?):.*/\1/p' | sort | uniq -c | sort -nr | awk '{print $1}' | paste -sd+ | bc
5029
root@Toushirou:~# # display the most used IPs
root@Toushirou:~# journalctl -g '(auth:.*unknown)' | sed -n 's/.*ldap([^,]\+,\([^,)]\+\)\(,<[^>]\+>\)\?):.*/\1/p' | sort | uniq -c | sort -nr | awk '{print $1}' | head -n 10
741
566
467
362
307
182
177
174
167
161
# There are 697 different IPs, the twenty most used produce 85% of the login failure.
Updated by 
Updated by
Actions