Lately I've been seeing someone poking at my server trying to hack my relay. It requires login auth, so they're trying and failing a lot.
Typically this is something fail2ban would catch, but they're doing it distributed (or they're spoofing IPs). In the last three days I have literally thousands of attempts, all using the same two (nonexistent) email addresses as login credentials, from a total of 466 unique IPs. They do occasionally reuse an IP, obviously, but never right away, so fail2ban never gets triggered.
For the moment, to cut down on the noise level, I've manually created an ipset of those 466 IPs and put it in the firewall to drop them. But to automate dropping these when they come in on new IPs seems problematic. What I need is something like fail2ban that can filter on login credentials instead of IPs but still build a list of IPs from the failed attempts. E.g., start adding IPs to a drop chain after x number of failed auth attempts with the same credentials (instead of from the same IP as fail2ban does).
Does such a thing exist?
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Need something like fail2ban for a distributed brute force
Re: Need something like fail2ban for a distributed brute for
For now I've created a script in response. Once an hour it sweeps the mail log for email credentials with five or more fails and adds any IP associated with them to the aforementioned ipset already in the firewall. Since the IPs are not reused quickly, hourly sweeps should be sufficient.
It'll be interesting to see how big the ipset gets.
It'll be interesting to see how big the ipset gets.
-
- Posts: 677
- Joined: 2018-05-10 19:34
- Location: Some where out west
- Been thanked: 1 time
Re: Need something like fail2ban for a distributed brute for
I don't know , but maybe look into: https://packages.debian.org/buster/apf-firewall
=============================================
Their home page:https://packages.debian.org/buster/apf-firewall
If you look closely on the package page, on the right side:
=============================================
Their home page:https://packages.debian.org/buster/apf-firewall
If you look closely on the package page, on the right side:
Is a e-mail , mail list ... also a list of similar packages:Maintainer:
Debian QA Group (QA Page)
similar packages:
pyroman
nufw
fail2ban
nftables
fiaif
collectd-core
nuauth
ostinato
psad
Please Read What we expect you have already Done
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!
- dilberts_left_nut
- Administrator
- Posts: 5346
- Joined: 2009-10-05 07:54
- Location: enzed
- Has thanked: 13 times
- Been thanked: 66 times
Re: Need something like fail2ban for a distributed brute for
Why not just add a fail2ban filter that triggers on any mention of that email address?
AdrianTM wrote:There's no hacker in my grandma...
Re: Need something like fail2ban for a distributed brute for
Because every few days they change to a different one. I guess they get all the way through their brute force list for that one and move on to another.dilberts_left_nut wrote:Why not just add a fail2ban filter that triggers on any mention of that email address?
Re: Need something like fail2ban for a distributed brute for
My script added 15 IPs while I was working on it, so when I got done there were 481 IPs. It added more overnight; in the morning it was 511. Then I got the idea to run it against older logs, so I gunzipped a few and ran it against those. The .1 log took it to 523, and the .2 log took it to 525, even though both of those were loaded with attempts. No change from applying any older log than those. So I'm thinking my ipset must be getting close to a pretty complete list of their botnet now.
Re: Need something like fail2ban for a distributed brute for
Why don't you use ssh-keys, and disable password login?
Re: Need something like fail2ban for a distributed brute for
It's not an ssh login. They're trying to find TLS authentication credentials to the MTA, presumably to use it as a relay.arzgi wrote:Why don't you use ssh-keys, and disable password login?
Re: Need something like fail2ban for a distributed brute for
After putting the script in action for a while, I was interested to see the botnet react to it and change tactics. It started using a lot more email addresses simultaneously, apparently to be able to make more tries from each IP before the script blocked it.
I refined my script to block the IP of any failed attempt that tries to use an email which doesn't exist in the virtual mailboxes, and runs every 15 minutes. So they don't get three or four tries from a specific IP anymore. Each bot in their net gets one try and then BANG into the blocklist it goes.
This countermeasure has cut the attack traffic from thousands of daily attempts to maybe 20. I expect it will continue to slowly drop off as the number of bots not in the blocklist diminishes. (Unless the new connections are all from newly zombified machines.)
I refined my script to block the IP of any failed attempt that tries to use an email which doesn't exist in the virtual mailboxes, and runs every 15 minutes. So they don't get three or four tries from a specific IP anymore. Each bot in their net gets one try and then BANG into the blocklist it goes.
This countermeasure has cut the attack traffic from thousands of daily attempts to maybe 20. I expect it will continue to slowly drop off as the number of bots not in the blocklist diminishes. (Unless the new connections are all from newly zombified machines.)