NethServer Version: 7.4.1708
Module: fail2ban
Just discover hundreds of tries on pop3-login attempts within the hour and seems like the fail2ban module is not BANNING the attempted IP.
Apr 24 11:21:04 SERVR dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=114.232.9.97, lip=xxx.xxx.xxx.xxx, session=<+LGoN5xqWgBy6Alh>
Above exert was taken from imap.log file
seems like the filter is not reading the imap log file ? Thanks
We could build our own regex if one is missing, but in this case it seems that you have no user set. It is all the time ?
I’m seeing much more of the same attacks and all have no user set…is that why the filter didn’t catch it… Thanks for your assistance & response…
Is this an “attack”, though? It isn’t being logged as an authentication failure, in the sense of a user presenting incorrect credentials. Rather, it’s being logged as a login attempt using an unsupported method (as would be the case with a misconfigured client). I’d guess this is why fail2ban isn’t picking it up.
I will need the full log please (sent it by email) and a bit of time, currently in holidays.
The LOGIN is definitely not from my server user list… the IP showed location that’s in other parts of the world that I’m quite sure not from my users.
Thanks… Already sent you the log File… Have a wonderful holidays…There’s no hurry in this. Cheers.
Hi Stéphane
Enclosed pls find a copy of the imap file… you’ll find the attempt
pop3-login showing with no user name… user=<> from IP definitely not
Pls have a wonderful holidays… no hurry… I can manage manually
to block the ip when I see them… Thanks again for the great help…
Regards
Reggie
… the pop3-login attacks came again this morning…
I got hundreds of these attack from a Chinese Network in a time span of 3 minutes this morning…somehow Fail2ban filter didn’t pickup the attack…
ie. in this case the culprit is from China … certainly not one of our email server user.
inetnum: 119.176.0.0 - 119.191.255.255
netname: UNICOM-SD
descr: China Unicom Shandong Province Network
descr: China Unicom
country: CN
Apr 26 07:22:19 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=119.185.62.26, lip=xxx.xxx.xxx.xxx, session=<D/p8HcFqegB3uT4a>
Apr 26 07:22:20 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=119.185.62.26, lip=xxx.xxx.xxx.xxx, session=
Apr 26 07:22:21 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=119.185.62.26, lip=xxx.xxx.xxx.xxx, session=
Apr 26 07:22:21 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=119.185.62.26, lip=xxx.xxx.xxx.xxx, session=
Apr 26 07:22:22 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=119.185.62.26, lip=xxx.xxx.xxx.xxx, session=
Apr 26 07:22:23 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=119.185.62.26, lip=xxx.xxx.xxx.xxx, session=
We can find some hints
In fact we need to check and adapt the regex
Thanks … Stephdl … for the infor… I’d try and make some changes on the filter…Appreciate the response.
Nethserver-fail2ban will rise its audience soon, it is going to be an official module for enterprise and community nethserver version.
Sure it is a good opportunity for this app to have more dedicated time of developers