- marked as enhancement
Dovecot AUTH when not advertised should be penalized
Issue #89
resolved
- sshguard 1.7.1-1
- debian 9.4
- Invocation
/bin/sh /usr/lib/sshguard/sshguard-journalctl -i /run/sshguard.pid -w /etc/sshguard/whitelist -a 40 -p 420 -s 5400 -l /var/log/auth.log -l /var/log/mail.log -l /var/log/exim4/mainlog
...
/usr/sbin/sshguard -i /run/sshguard.pid -w /etc/sshguard/whitelist -a 40 -p 420 -s 5400 -l /var/log/auth.log -l /var/log/mail.log -l /var/log/exim4/mainlog
- iptables
We get hundreds of attacks like this:
2018-06-03 13:16:08 SMTP protocol error in "AUTH LOGIN" H=(mail.example.com) [123.24.161.123] AUTH command used when not advertised: 1 Time(s)
And this:
2018-06-03 13:35:07 SMTP protocol error in "AUTH LOGIN" H=dynamic-186-31-81-98.dynamic.etb.net.co (mail.example.com) [186.31.81.98] AUTH command used when not advertised: 1 Time(s)
I would love for sshguard to use these as inputs to decide to block
Comments (8)
-
-
-
assigned issue to
Kevin Zheng
- changed milestone to 2.2
-
assigned issue to
-
- changed status to open
-
- changed component to parser
-
- removed milestone
Removing milestone: 2.2 (automated comment)
-
SSHGuard recognizes the attack, but gets confused with the timestamp. Blocking on
#93. -
- changed status to resolved
Fixed in 39404cf.
-
- removed version
Removing version: 1.7 (automated comment)
- Log in to comment
This looks very similar to the exim "auth command used when not advertised" that recently landed. I'll take a look at supporting the Dovecot version.