Need help with IMAP attack
This has been going on for days. It kind of alternates in waves with an ssh bogus login attack (which doesn't concern me as much…there is only one account with ssh access and it requires certificate authentication). Here's the stats of banned IPs from fail2ban(1) since Monday, Jan 18, 2021:
2021-01-18 - 2
2021-01-19 - 33
2021-01-20 - 32
2021-01-21 - 36
2021-01-22 - 6 (and counting)
Here's a sample transaction from earlier this morning:
Jan 22 05:47:20 REDACTED dovecot: imap-login: Disconnected (auth failed, 1 attempts in 4 secs): user=<errillmerrill@REDACTED>, method=PLAIN, rip=131.191.10.55, lip=REDACTED, TLS, session=<1+YdbX25v+KDvwo3>
Basically, this is an attempt by 131.191.10.55 (which belongs to the City of Tacoma, WA) to deliver spam by logging directly into my IMAP server to deposit the message directly in errillmerrill's INBOX.
My IMAP server requires authentication and there is no account for errillmerrill@REDACTED anyway. fail2ban(1) found this bogus attempt after a second or two and blocked all traffic to/from this IP address for 30 days. The other variant is to use a valid account but fail on the password (which are changed regularly).
I've limited the connection rate to 5/min with a burst of 10. I reject overflows. I can't close the port because all my customers (and their mobile phones) use it all the time.
Does anyone have any idea how I can stop this or better mitigate it's effects?
Inquiring minds want to know… Thanks in advance.
-- sw
3 Replies
@stevewi Sorry to hear you're experiencing these consistent attacks. It sounds like you've got a pretty solid plan already in place. I'm not aware of any other steps that might help stop the attacks. But I did some research and there may be some helpful configuration information in this post.
It may not stop the attacks per say, but it may be useful to configure fail2ban to notify the attacker's ISP.
I hope this offers some help!
@rdaniels writes:
It may not stop the attacks per se, but it may be useful to configure fail2ban to notify the attacker's ISP.
Thanks for the info. I have fail2ban(1) tuned so that detection happens almost coincident with the occurrence. To do it any faster, my Linode would need to be able to read several (mostly foreign) minds…
Most of the attackers are outside the US. Even those that are US-based ignore these kind of messages…especially if the attack originates from a VPS service like AWS, Azure or Google Cloud (VPS). Amazon/Google just ignore the reports. M$ writes back and says "this IP address is part of Azure…we know nothing…we're not responsible".
I'm still getting several attacks per day but not nearly at the level I was seeing at the time of my OP. As of this writing I have just shy of 500 unique IP addresses in my fail2ban(1) jail for dovecot (the sentence is 60 days…and no parole or appeals).
-- sw