This apparently also bypasses Fail2Ban and I wonder what the solution is then.
«IoT Devices in Password-Spraying Botnet:
Microsoft is warning Azure cloud users that a Chinese controlled botnet is engaging in “highly evasive” password spraying. Not sure about the “highly evasive” part; the techniques seem basically what you get in a distributed password-guessing attack»
https://www.schneier.com/blog/archives/2024/11/iot-devices-in-password-spraying-botnet.html
Does anyone know if the following is possible with #fail2ban:
What I want to do is block an IP if, for example, it is failing to login for 10 times with a specific username but not if it does 10 login attempts for 10 different users.
Örks, #fail2ban unter #Debian greift wohl SASL Auth Fehler von #Postfix nicht, Filter wohl kaputt. Problem insbesondere unser Lieblingshassobjekt #systemd / #jounald. Also manuell.
journald -t entspricht SYSLOG_IDENTIFIER bei journalmatch. Macht dann:
journalmatch = SYSLOG_IDENTIFIER=postfix/smtps/smtpd
failregex = \[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism)
Ohne Gewähr und so.