Fail2ban Not banning IP from brute-force Attempts on pop-3 login

fail2ban
v7

(Reggie Ho) #1

NethServer Version: 7.4.1708
Module: fail2ban

Just discover hundreds of tries on pop3-login attempts within the hour and seems like the fail2ban module is not BANNING the attempted IP.

Apr 24 11:21:04 SERVR dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=114.232.9.97, lip=xxx.xxx.xxx.xxx, session=<+LGoN5xqWgBy6Alh>

Above exert was taken from imap.log file

seems like the filter is not reading the imap log file ? Thanks


(Stéphane de Labrusse) #2

We could build our own regex if one is missing, but in this case it seems that you have no user set. It is all the time ?


(Reggie Ho) #3

I’m seeing much more of the same attacks and all have no user set…is that why the filter didn’t catch it… Thanks for your assistance & response…


(Dan) #4

Is this an “attack”, though? It isn’t being logged as an authentication failure, in the sense of a user presenting incorrect credentials. Rather, it’s being logged as a login attempt using an unsupported method (as would be the case with a misconfigured client). I’d guess this is why fail2ban isn’t picking it up.


(Stéphane de Labrusse) #5

I will need the full log please (sent it by email) and a bit of time, currently in holidays.


(Reggie Ho) #6

The LOGIN is definitely not from my server user list… the IP showed location that’s in other parts of the world that I’m quite sure not from my users.

Thanks… Already sent you the log File… Have a wonderful holidays…There’s no hurry in this. Cheers.


(Reggie Ho) #7

Hi Stéphane

Enclosed pls find a copy of the imap file… you’ll find the attempt
pop3-login showing with no user name… user=<> from IP definitely not

Pls have a wonderful holidays… no hurry… I can manage manually
to block the ip when I see them… Thanks again for the great help…

Regards

Reggie


(Reggie Ho) #8

… the pop3-login attacks came again this morning…

I got hundreds of these attack from a Chinese Network in a time span of 3 minutes this morning…somehow Fail2ban filter didn’t pickup the attack…

ie. in this case the culprit is from China … certainly not one of our email server user.

inetnum: 119.176.0.0 - 119.191.255.255
netname: UNICOM-SD
descr: China Unicom Shandong Province Network
descr: China Unicom
country: CN


Apr 26 07:22:19 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=119.185.62.26, lip=xxx.xxx.xxx.xxx, session=<D/p8HcFqegB3uT4a>
Apr 26 07:22:20 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=119.185.62.26, lip=xxx.xxx.xxx.xxx, session=
Apr 26 07:22:21 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=119.185.62.26, lip=xxx.xxx.xxx.xxx, session=
Apr 26 07:22:21 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=119.185.62.26, lip=xxx.xxx.xxx.xxx, session=
Apr 26 07:22:22 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=119.185.62.26, lip=xxx.xxx.xxx.xxx, session=
Apr 26 07:22:23 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=119.185.62.26, lip=xxx.xxx.xxx.xxx, session=


(Stéphane de Labrusse) #9

We can find some hints


In fact we need to check and adapt the regex


(Reggie Ho) #10

Thanks … Stephdl … for the infor… I’d try and make some changes on the filter…Appreciate the response.


(Stéphane de Labrusse) #11

Nethserver-fail2ban will rise its audience soon, it is going to be an official module for enterprise and community nethserver version.

Sure it is a good opportunity for this app to have more dedicated time of developers