Need something like fail2ban for a distributed brute force

[dwasi]

Lately I've been seeing someone poking at my server trying to hack my relay. It requires login auth, so they're trying and failing a lot.

Typically this is something fail2ban would catch, but they're doing it distributed (or they're spoofing IPs). In the last three days I have literally thousands of attempts, all using the same two (nonexistent) email addresses as login credentials, from a total of 466 unique IPs. They do occasionally reuse an IP, obviously, but never right away, so fail2ban never gets triggered.

For the moment, to cut down on the noise level, I've manually created an ipset of those 466 IPs and put it in the firewall to drop them. But to automate dropping these when they come in on new IPs seems problematic. What I need is something like fail2ban that can filter on login credentials instead of IPs but still build a list of IPs from the failed attempts. E.g., start adding IPs to a drop chain after x number of failed auth attempts with the same credentials (instead of from the same IP as fail2ban does).

Does such a thing exist?

[dwasi]

For now I've created a script in response. Once an hour it sweeps the mail log for email credentials with five or more fails and adds any IP associated with them to the aforementioned ipset already in the firewall. Since the IPs are not reused quickly, hourly sweeps should be sufficient.

It'll be interesting to see how big the ipset gets.

[cuckooflew]

I don't know , but maybe look into: https://packages.debian.org/buster/apf-firewall
=============================================
Their home page:https://packages.debian.org/buster/apf-firewall

If you look closely on the package page, on the right side:

Maintainer:

Debian QA Group (QA Page)

Is a e-mail , mail list ... also a list of similar packages:

similar packages:

pyroman
nufw
fail2ban
nftables
fiaif
collectd-core
nuauth
ostinato
psad

[dilberts_left_nut]

Why not just add a fail2ban filter that triggers on any mention of that email address?

[dwasi]

Why not just add a fail2ban filter that triggers on any mention of that email address?

Because every few days they change to a different one. I guess they get all the way through their brute force list for that one and move on to another.

[dwasi]

My script added 15 IPs while I was working on it, so when I got done there were 481 IPs. It added more overnight; in the morning it was 511. Then I got the idea to run it against older logs, so I gunzipped a few and ran it against those. The .1 log took it to 523, and the .2 log took it to 525, even though both of those were loaded with attempts. No change from applying any older log than those. So I'm thinking my ipset must be getting close to a pretty complete list of their botnet now.

[arzgi]

Why don't you use ssh-keys, and disable password login?

[dwasi]

Why don't you use ssh-keys, and disable password login?

It's not an ssh login. They're trying to find TLS authentication credentials to the MTA, presumably to use it as a relay.

[dwasi]

After putting the script in action for a while, I was interested to see the botnet react to it and change tactics. It started using a lot more email addresses simultaneously, apparently to be able to make more tries from each IP before the script blocked it.

I refined my script to block the IP of any failed attempt that tries to use an email which doesn't exist in the virtual mailboxes, and runs every 15 minutes. So they don't get three or four tries from a specific IP anymore. Each bot in their net gets one try and then BANG into the blocklist it goes.

This countermeasure has cut the attack traffic from thousands of daily attempts to maybe 20. I expect it will continue to slowly drop off as the number of bots not in the blocklist diminishes. (Unless the new connections are all from newly zombified machines.)