Have the fail2ban enhancement in place provided from the other discussion but all of sudden seeing a larger than usual activity in the gromox-imap logs of failed user attempts but when I check fail2ban-client status postfix-sasl or grommunio-sync, neither show very heavy activity. Did something change in the logging and fail2ban enhancements need to be adjusted?

settings from jail.local
[postfix-sasl]
enabled = true
backend = systemd
maxentry = 2
bantime = 3d
filter = postfix[mode=auth]
port = smtp,465,submission,imap,imaps,pop3,pop3s

If this is your full fail2ban filter set related to grommunio. then you´re only tracking the postfix (means smtp, sending of email) access. If postfix triggers, then the imap port is also blocked.
But if an attacker tries to connect via imap, then this fail2ban jail will never trigger.

btw: ...and this is not related to any recent update

@weini, this is the fail2ban script that @WalterH provided in a previous post, so it also has the filter/jails for grommunio-sync and grommunio-web-auth as well but neither of those point to imap or imaps ports, only the postfix-sasl refers to them in jail.local, which is why I believe something is missing and asking for guidance.

Here is an example of 1 hour from gromox-imap log and reason for figuring it out and yes this is with spamhaus and other rbl list blocking at the firewall filter. Take those efforts into effect and we see an additional 2,500 in hits stopped each hour.

[2024-09-18 21:08:20.573964]: rhost=[::ffff:78.82.149.238]:42344 user=brian.quinn@xyz.com LOGIN phase2 rejected: No such user
[2024-09-18 21:08:22.014913]: rhost=[::ffff:78.82.149.238]:42344 user=brian.quinn@xyz.com LOGIN phase1 rejecting "brian.quinn@xyz.com":
[2024-09-18 21:10:43.311729]: rhost=[::ffff:117.220.157.230]:52448 user=brian.quinn LOGIN phase2 rejected: No such user
[2024-09-18 21:10:45.015044]: rhost=[::ffff:117.220.157.230]:52448 user=brian.quinn LOGIN phase1 rejecting "brian.quinn":
[2024-09-18 21:12:36.395445]: rhost=[::ffff:116.97.240.172]:51670 user=brian.quinn@xyz.com LOGIN phase2 rejected: No such user
[2024-09-18 21:12:38.327973]: rhost=[::ffff:116.97.240.172]:51670 user=brian.quinn@xyz.com LOGIN phase1 rejecting "brian.quinn@xyz.com":
[2024-09-18 21:36:48.470017]: rhost=[::ffff:47.237.26.68]:39034 user=brian.quinn@xyz.com LOGIN phase2 rejected: No such user
[2024-09-18 21:36:50.272956]: rhost=[::ffff:47.237.26.68]:39034 user=brian.quinn@xyz.com LOGIN phase1 rejecting "brian.quinn@xyz.com":
[2024-09-18 21:39:55.962484]: rhost=[::ffff:165.231.143.243]:60676 user=brian.quinn@xyz.com LOGIN phase2 rejected: No such user
[2024-09-18 21:39:57.430695]: rhost=[::ffff:165.231.143.243]:60676 user=brian.quinn@xyz.com LOGIN phase1 rejecting "brian.quinn@xyz.com":
[2024-09-18 21:40:01.893908]: rhost=[::ffff:65.20.193.144]:33023 user=brian.quinn LOGIN phase2 rejected: No such user
[2024-09-18 21:40:03.428718]: rhost=[::ffff:65.20.193.144]:33023 user=brian.quinn LOGIN phase1 rejecting "brian.quinn":
[2024-09-18 21:40:28.867658]: rhost=[::ffff:203.115.107.50]:49948 user=brian.quinn LOGIN phase2 rejected: No such user
[2024-09-18 21:40:30.783815]: rhost=[::ffff:203.115.107.50]:49948 user=brian.quinn LOGIN phase1 rejecting "brian.quinn":
[2024-09-18 21:54:18.037885]: rhost=[::ffff:65.20.250.180]:58398 user=brian.quinn@xyz.com LOGIN phase2 rejected: No such user
[2024-09-18 21:54:19.814245]: rhost=[::ffff:65.20.250.180]:58398 user=brian.quinn@xyz.com LOGIN phase1 rejecting "brian.quinn@xyz.com":
[2024-09-18 21:54:26.894256]: rhost=[::ffff:14.99.199.106]:60084 user=brian.quinn LOGIN phase2 rejected: No such user
[2024-09-18 21:54:28.827364]: rhost=[::ffff:14.99.199.106]:60084 user=brian.quinn LOGIN phase1 rejecting "brian.quinn":
[2024-09-18 21:54:45.326307]: rhost=[::ffff:110.39.9.122]:57005 user=brian.quinn@xyz.com LOGIN phase2 rejected: No such user
[2024-09-18 21:54:47.161481]: rhost=[::ffff:110.39.9.122]:57005 user=brian.quinn@xyz.com LOGIN phase1 rejecting "brian.quinn@xyz.com":

    mjmabs LOGIN phase1

    the current fail2ban filters do not look for this message. If I find some spare time, I will try to add this messages to the filter list.

    • crpb replied to this.
      10 days later

      © 2020-2024 grommunio GmbH. All rights reserved. | https://grommunio.com | Data Protection | Legal notice