PROPOSAL: New signature for Dovecot

Issue #107 open
Gerard Seibert
created an issue

SSHguard 2.2.0 FreeBSD 12.0 Dovecot 2.3.4

The following are examples from the dovecot log that are never caught by sshguard.

Dec 20 22:05:28 pop3-login: Info: Login failed: Plaintext authentication disabled: user=<>, rip=198.27.127.44, lip=192.168.0.101, session=<0bf0hH99pMHGG38s>
Dec 20 22:05:28 pop3-login: Info: Disconnected (auth failed, 1 attempts in 0 secs): user=<test2@seibercom.net>, rip=198.27.127.44, lip=192.168.0.101, session=<0bf0hH99pMHGG38s>
Dec 20 23:03:03 pop3-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=185.100.87.250, lip=192.168.0.101, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<QzrmUoB9SJi5ZFf6>
Dec 20 23:03:04 pop3-login: Info: Disconnected (no auth attempts in 1 secs): user=<>, rip=185.100.87.250, lip=192.168.0.101, TLS handshaking: Connection closed, session=<PZjuUoB9qJ+5ZFf6>
Dec 20 23:03:04 pop3-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=185.100.87.250, lip=192.168.0.101, TLS, session=<a075UoB9CqC5ZFf6>

I wrote my own script that catches these attempts, extracts the IPs and inserts them into IPFW. I feel that sshguard should be able to handle these though.

Comments (1)

  1. Kevin Zheng
    • changed status to open

    Agreed. Do you think it's better to match against the "Login failed" or "Disconnected..." messages? It looks like the former generates one of the latter, but there are more related to "no auth attempts," but "Disconnected" could also probably lead to some false positives.

  2. Log in to comment