Re: [Fail2ban-users] Any protection against multiple IPs using the same username ?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

F2b can't do anything against this type of attack as the IP's rarely repeat.

If you want a bit of security through obscurity, turn off authentication 
on port 25 and configure your users to use SMPTS (tcp:465) or STARTTLS 
(tcp:587). There is much less bot traffic on those ports.

Nick

On 11/02/2018 15:17, chaouche yacine via Fail2ban-users wrote:
> Dear list,
>
> I was surprised to find this in one of my script's live output :
>
> Feb 11 16:01:16 rad...@my...d 104.131.92.159:
> Feb 11 16:01:19 rad...@my...d 81.91.92.176:
> Feb 11 16:01:21 rad...@my...d 213.136.88.68:
> Feb 11 16:01:25 rad...@my...d 132.148.21.197:
> Feb 11 16:01:28 rad...@my...d 91.121.136.82:
> Feb 11 16:01:31 rad...@my...d 70.32.72.249:
> Feb 11 16:01:33 rad...@my...d 88.198.177.200:
> Feb 11 16:01:37 rad...@my...d 132.148.22.72:
> Feb 11 16:01:40 rad...@my...d 185.14.28.209:
> Feb 11 16:01:47 rad...@my...d 185.14.28.209:
> Feb 11 16:01:50 rad...@my...d 31.186.8.165:
> Feb 11 16:01:52 rad...@my...d 176.31.171.249:
> Feb 11 16:01:55 rad...@my...d 174.142.254.4:
> Feb 11 16:01:58 rad...@my...d 173.249.5.133:
> Feb 11 16:02:04 rad...@my...d 103.1.239.204:
> Feb 11 16:02:10 rad...@my...d 115.146.127.53:
> Feb 11 16:02:13 rad...@my...d 80.87.200.146:
> Feb 11 16:02:17 rad...@my...d 50.62.82.236:
> Feb 11 16:02:20 rad...@my...d 158.222.0.202:
> Feb 11 16:02:24 rad...@my...d 89.219.33.110:
> Feb 11 16:02:26 rad...@my...d           37.59.8.29:
> Feb 11 16:02:28 rad...@my...d 85.25.213.84:
> Feb 11 16:02:31 rad...@my...d 185.95.85.159:
> Feb 11 16:02:33 rad...@my...d 146.185.160.102:
> Feb 11 16:02:35 rad...@my...d 94.23.93.101:
> Feb 11 16:02:38 rad...@my...d 104.236.206.7:
> Feb 11 16:02:41 rad...@my...d 194.150.118.6:
> Feb 11 16:02:44 rad...@my...d 212.109.221.24:
> Feb 11 16:02:46 rad...@my...d 146.185.157.149:
> Feb 11 16:02:48 rad...@my...d 62.75.202.128:
> Feb 11 16:02:51 rad...@my...d 193.203.206.3:
> Feb 11 16:02:55 rad...@my...d 208.107.4.149:
> Feb 11 16:02:57 rad...@my...d 173.212.252.117:
> Feb 11 16:03:01 rad...@my...d 38.109.217.143:
> Feb 11 16:03:04 rad...@my...d           5.2.209.70:
> Feb 11 16:03:10 rad...@my...d 101.99.65.25:
> Feb 11 16:03:12 rad...@my...d 91.121.85.220:
> Feb 11 16:03:15 rad...@my...d 83.220.174.125:
> Feb 11 16:03:19 rad...@my...d 173.203.58.135:
> Feb 11 16:03:21 rad...@my...d 144.76.60.149:
> Feb 11 16:03:24 rad...@my...d 37.46.131.252:
> Feb 11 16:03:30 rad...@my...d 221.132.35.142:
> Feb 11 16:03:32 rad...@my...d 46.4.122.252:
> Feb 11 16:03:36 rad...@my...d 64.91.251.84:
> Feb 11 16:03:39 rad...@my...d 94.181.191.195:
> Feb 11 16:03:42 rad...@my...d           216.27.29.7:
> Feb 11 16:03:44 rad...@my...d 176.31.182.14:
> Feb 11 16:03:48 rad...@my...d           47.22.0.41:
> Feb 11 16:03:50 rad...@my...d 188.166.112.173:
> Feb 11 16:03:53 rad...@my...d 62.109.23.50:
> Feb 11 16:03:59 rad...@my...d 210.211.118.171:
> Feb 11 16:04:02 rad...@my...d 176.57.209.53:
> Feb 11 16:04:04 rad...@my...d 37.97.198.103:
> Feb 11 16:04:10 rad...@my...d 221.132.35.142:
> Feb 11 16:04:16 rad...@my...d 163.44.206.185:
> Feb 11 16:04:19 rad...@my...d 184.173.181.142:
> Feb 11 16:04:24 rad...@my...d 198.12.149.197:
> Feb 11 16:04:27 rad...@my...d 213.159.208.254:
> Feb 11 16:04:30 rad...@my...d 198.50.145.221:
> Feb 11 16:04:36 rad...@my...d 190.13.128.146:
> Feb 11 16:04:41 rad...@my...d 139.196.229.151:
> Feb 11 16:04:43 rad...@my...d           176.9.122.132:
>
>
> It was generated in realtime by ychaouche/mailcop 
> <https://github.com/ychaouche/mailcop>
>
>
>
> 	
>
> 	
>
>
>     ychaouche/mailcop
>
> mailcop - Watches your mail server
> 	
>
> <https://github.com/ychaouche/mailcop>
>
>
>
> As you can see there are multiple IPs involved, it seems to be some 
> kind of distributed attack. Is there any way I can protect my server 
> against this ?
>
> Yassine.
>
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> Fail2ban-users mailing list
> Fai...@li...
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users