Need something like fail2ban for a distributed brute force

If none of the more specific forums is the right place to ask

Need something like fail2ban for a distributed brute force

Postby dwasi » 2020-06-21 03:29

Lately I've been seeing someone poking at my server trying to hack my relay. It requires login auth, so they're trying and failing a lot.

Typically this is something fail2ban would catch, but they're doing it distributed (or they're spoofing IPs). In the last three days I have literally thousands of attempts, all using the same two (nonexistent) email addresses as login credentials, from a total of 466 unique IPs. They do occasionally reuse an IP, obviously, but never right away, so fail2ban never gets triggered.

For the moment, to cut down on the noise level, I've manually created an ipset of those 466 IPs and put it in the firewall to drop them. But to automate dropping these when they come in on new IPs seems problematic. What I need is something like fail2ban that can filter on login credentials instead of IPs but still build a list of IPs from the failed attempts. E.g., start adding IPs to a drop chain after x number of failed auth attempts with the same credentials (instead of from the same IP as fail2ban does).

Does such a thing exist?
dwasi
 
Posts: 21
Joined: 2019-11-27 16:57

Re: Need something like fail2ban for a distributed brute for

Postby dwasi » 2020-06-21 05:35

For now I've created a script in response. Once an hour it sweeps the mail log for email credentials with five or more fails and adds any IP associated with them to the aforementioned ipset already in the firewall. Since the IPs are not reused quickly, hourly sweeps should be sufficient.

It'll be interesting to see how big the ipset gets.
dwasi
 
Posts: 21
Joined: 2019-11-27 16:57

Re: Need something like fail2ban for a distributed brute for

Postby cuckooflew » 2020-06-21 05:47

I don't know , but maybe look into: https://packages.debian.org/buster/apf-firewall
=============================================
Their home page:https://packages.debian.org/buster/apf-firewall

If you look closely on the package page, on the right side:
Maintainer:

Debian QA Group (QA Page)
Is a e-mail , mail list ... also a list of similar packages:
similar packages:

pyroman
nufw
fail2ban
nftables
fiaif
collectd-core
nuauth
ostinato
psad
Please Read What we expect you have already Done
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!
cuckooflew
 
Posts: 683
Joined: 2018-05-10 19:34
Location: Some where out west

Re: Need something like fail2ban for a distributed brute for

Postby dilberts_left_nut » 2020-06-21 09:05

Why not just add a fail2ban filter that triggers on any mention of that email address?
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 5080
Joined: 2009-10-05 07:54
Location: enzed

Re: Need something like fail2ban for a distributed brute for

Postby dwasi » 2020-06-21 13:25

dilberts_left_nut wrote:Why not just add a fail2ban filter that triggers on any mention of that email address?

Because every few days they change to a different one. I guess they get all the way through their brute force list for that one and move on to another.
dwasi
 
Posts: 21
Joined: 2019-11-27 16:57

Re: Need something like fail2ban for a distributed brute for

Postby dwasi » 2020-06-21 13:59

My script added 15 IPs while I was working on it, so when I got done there were 481 IPs. It added more overnight; in the morning it was 511. Then I got the idea to run it against older logs, so I gunzipped a few and ran it against those. The .1 log took it to 523, and the .2 log took it to 525, even though both of those were loaded with attempts. No change from applying any older log than those. So I'm thinking my ipset must be getting close to a pretty complete list of their botnet now.
dwasi
 
Posts: 21
Joined: 2019-11-27 16:57

Re: Need something like fail2ban for a distributed brute for

Postby arzgi » 2020-06-21 14:05

Why don't you use ssh-keys, and disable password login?
arzgi
 
Posts: 673
Joined: 2008-02-21 17:03
Location: Finland

Re: Need something like fail2ban for a distributed brute for

Postby dwasi » 2020-06-21 16:43

arzgi wrote:Why don't you use ssh-keys, and disable password login?


It's not an ssh login. They're trying to find TLS authentication credentials to the MTA, presumably to use it as a relay.
dwasi
 
Posts: 21
Joined: 2019-11-27 16:57

Re: Need something like fail2ban for a distributed brute for

Postby dwasi » 2020-06-26 17:07

After putting the script in action for a while, I was interested to see the botnet react to it and change tactics. It started using a lot more email addresses simultaneously, apparently to be able to make more tries from each IP before the script blocked it.

I refined my script to block the IP of any failed attempt that tries to use an email which doesn't exist in the virtual mailboxes, and runs every 15 minutes. So they don't get three or four tries from a specific IP anymore. Each bot in their net gets one try and then BANG into the blocklist it goes.

This countermeasure has cut the attack traffic from thousands of daily attempts to maybe 20. I expect it will continue to slowly drop off as the number of bots not in the blocklist diminishes. (Unless the new connections are all from newly zombified machines.)
dwasi
 
Posts: 21
Joined: 2019-11-27 16:57


Return to General Questions

Who is online

Users browsing this forum: No registered users and 16 guests

fashionable