IMAP attack underway
My Linode seems to be in the middle of fending off a bot-net attack using imap-login as the vector. The attacker is trying to log in as my dad (whose account was deleted several years ago after he died).
Here's a summary of my configuration:
- POP3/POP3S are disabled (and blocked by the firewall);
- IMAP is only accepted from localhost (for v4 & v6…I need this for a local apps…this is also enforced by the firewall);
- IMAPS requires login authentication; and
- LDA/LMTP use local-domain sockets (only accessible from localhost).
fail2ban(1) bans nodes after 1 IMAPS login failure in any 5-minute period… draconian I know… However, I only have 4 customers and I set up everyone's clients so I'm reasonably sure that any occurrences of an IMAPS login failure are from bogus login attempts.
Is there anything else anyone could suggest that I do?
Thanks in advance…
-- sw
2 Replies
watrick
Linode Staff
The steps you've taken so far look to be the same things I'm finding when trying to research this a little more. Aside from Fail2Ban, I found another interesting open-source tool that could be helpful, Brutelock. I haven't tested this, but going off of their documentation materials, it looks promising. Based on this post I found online, the essential thing it does here is that it creates a separate iptables chain, then runs a daemon. There's a paid version, which I believe provides automated updates to the software.
@watrick --
Thanks for the info. I read the post you linked to but the "brutelock.com" domain is for sale. I found the GitHub repo for it and discovered that it hasn't been updated in 9 years.
From what the post you linked to described, it doesn't sound a whole lot different than fail2ban(1). Anyway, moot since BruteLock appears to be abandoned.
Thanks for taking the time to respond…
-- sw