7

I have installed fail2ban on my mail server, and the logs show 4-5 IPs regularly hitting my server at large intervals (so not often enough to trigger the fail2ban rules):

2017-10-04 06:29:04,705 fail2ban.filter         [1091]: INFO    [postfix-sasl] Found 92.xxx.xxx.11
2017-10-04 07:14:35,674 fail2ban.filter         [1091]: INFO    [postfix-sasl] Found 37.xxx.xxx.118
2017-10-04 08:01:29,732 fail2ban.filter         [1091]: INFO    [postfix-sasl] Found 37.xxx.xxx.118
2017-10-04 08:08:45,221 fail2ban.filter         [1091]: INFO    [postfix-sasl] Found 92.xxx.xxx.11
2017-10-04 08:48:00,802 fail2ban.filter         [1091]: INFO    [postfix-sasl] Found 37.xxx.xxx.118
2017-10-04 09:36:07,958 fail2ban.filter         [1091]: INFO    [postfix-sasl] Found 37.xxx.xxx.118
2017-10-04 09:48:59,830 fail2ban.filter         [1091]: INFO    [postfix-sasl] Found 92.xxx.xxx.11
2017-10-04 10:23:22,123 fail2ban.filter         [1091]: INFO    [postfix-sasl] Found 37.xxx.xxx.118
2017-10-04 11:12:03,283 fail2ban.filter         [1091]: INFO    [postfix-sasl] Found 37.xxx.xxx.118

The IPs are all VPS'es, belonging to Digital Ocean, OVH and the like. A back-of-the-envelope calculation shows that, if the attacker checks one password every 40 minutes, they'll exhaust a 10 000-word dictionary in a little less than a year. (Not that my passwords are dictionary words, mind you). I guess it can pay off if the attacker is hitting thousands of servers simultaneously.

Should I be concerned about this type of attacks?

Joe
  • 2,764
  • 2
  • 13
  • 22
Mihai
  • 173
  • 4
  • 1
    Depends on the strength of your password. If you have a very weak password, yes. If you have a strong password that doesn't appear in word lists, it's possible, but still statistically unlikely that you'd be compromised this way. – Mark Buffalo Oct 13 '17 at 18:33

4 Answers4

8

Just block them by changing time interval in your jail rule.

bantime  = 10800 ;3 hours
findtime  = 86400 ;1 day
maxretry = 5

If an attacker fails 5 times in a day, he will be blocked for 3 hours or you can increase that number according to your wish.

Prevent as much as possible, before it will be to late.

Mirsad
  • 10,195
  • 8
  • 34
  • 54
1

A back-of-the-envelope calculation shows that, if the attacker checks one password every 40 minutes, they'll exhaust a 10 000-word dictionary in a little less than a year. (Not that my passwords are dictionary words, mind you).

If your passwords aren't dictionary words, then calculating how long it'll take to go through a dictionary isn't a very useful calculation, is it? Calculate out how long it'd take to brute force your password.

Given that information, make sure to rotate your passwords far before they'll be discovered. It's good practice to do this regularly, anyways, because passwords can leak in all sorts of unexpected places.

Since you've noticed this attack, feel free to adjust your fail2ban rules to block it more (if you aren't worried about the legitimate user impact of tightening them). Then you can take the new speed into consideration when doing your "time until compromised" calculation.

Xiong Chiamiov
  • 9,432
  • 2
  • 34
  • 81
0

I like to determine the threat of dictionary attacks by executing them against myself using the popular dictionary files downloaded at SkullSec.

rockyou.txt is a decent one and appending your local sports teams to it is an excellent method of discerning your dictionary hack risk.

BUT at the pace of attack you're experiencing now... you can be less concerned until they start executing additional, complex layered attacks which could indicate a motivated intruder specifically after your site(s).

123456789123456789123456789
  • 443
  • 2
  • 10
-2

You are likely experiencing a "knockknock" attack as described here: http://securityaffairs.co/wordpress/63969/hacking/knockknock-attacks-0365.html

It affects many companies, so I would not be surprised.

As long as you have secure passwords, the risk is pretty low. With secure passwords, even 1 million attempts should not come close to cracking it.

You can block the IPs in question or report abuse, but it's unlikely to stop it completely because the IPs will change. It's also not too much to worry about. Or, if the IPs are owned by the attacker, and not some hacked vps, you can launch a ddos attack by using servers with IP spoofing enabled and using UDP amplification >:)

You can test the password complexity of your environment by running mimikatz on a domain controller to dump all the password hashes, and then perform a brute force attack with Hashcat using wordlists and rules.

Daniel Grover
  • 872
  • 5
  • 11