I have an ongoing brute-force attack on my SMTP server in a way that evades typical fail2ban settings:
- attacks take place from several IPs in the same subnet
- a single IP attacks in intervals longer than an hour, apparently to evade being blocked by fail2ban that typically uses
findtime
andbantime
shorter than an hour
This is the log:
2017-09-05 01:11:19 LOGIN authenticator failed for (User) [91.200.12.165]:57519 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=soft)
2017-09-05 01:11:36 LOGIN authenticator failed for (User) [91.200.12.164]:51973 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=sandy)
2017-09-05 01:15:22 LOGIN authenticator failed for (User) [91.200.12.121]:51545 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=brown)
2017-09-05 01:28:57 LOGIN authenticator failed for (User) [91.200.12.105]:64938 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=family)
2017-09-05 01:48:32 LOGIN authenticator failed for (User) [91.200.12.165]:64730 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=soi)
2017-09-05 01:48:47 LOGIN authenticator failed for (User) [91.200.12.164]:59184 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=sanjeev)
2017-09-05 01:50:13 LOGIN authenticator failed for (User) [91.200.12.166]:64999 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=until)
2017-09-05 01:54:05 LOGIN authenticator failed for (User) [91.200.12.121]:58756 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=bryan)
2017-09-05 02:04:34 LOGIN authenticator failed for (User) [91.200.12.105]:55772 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=famous)
2017-09-05 02:25:36 LOGIN authenticator failed for (User) [91.200.12.165]:55563 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=soldiers)
2017-09-05 02:25:48 LOGIN authenticator failed for (User) [91.200.12.164]:50017 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=sanmiguel)
2017-09-05 02:30:33 LOGIN authenticator failed for (User) [91.200.12.166]:55835 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=update)
2017-09-05 02:32:56 LOGIN authenticator failed for (User) [91.200.12.121]:49589 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=bsd)
2017-09-05 02:40:11 LOGIN authenticator failed for (User) [91.200.12.105]:62983 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=far)
2017-09-05 03:02:29 LOGIN authenticator failed for (User) [91.200.12.165]:62775 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=solution)
2017-09-05 03:02:40 LOGIN authenticator failed for (User) [91.200.12.164]:57228 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=santamaria)
2017-09-05 03:10:50 LOGIN authenticator failed for (User) [91.200.12.166]:63046 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=upgrade)
2017-09-05 03:11:37 LOGIN authenticator failed for (User) [91.200.12.121]:56803 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=bubba)
2017-09-05 03:15:41 LOGIN authenticator failed for (User) [91.200.12.105]:53820 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=farias)
2017-09-05 03:39:36 LOGIN authenticator failed for (User) [91.200.12.165]:53612 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=solve)
2017-09-05 03:39:48 LOGIN authenticator failed for (User) [91.200.12.164]:64441 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=santos)
2017-09-05 03:50:50 LOGIN authenticator failed for (User) [91.200.12.121]:64015 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=buchhaltung)
2017-09-05 03:51:30 LOGIN authenticator failed for (User) [91.200.12.166]:53880 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=upload)
2017-09-05 03:51:34 LOGIN authenticator failed for (User) [91.200.12.105]:61032 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=farm)
2017-09-05 04:17:31 LOGIN authenticator failed for (User) [91.200.12.165]:60825 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=somebody)
2017-09-05 04:17:34 LOGIN authenticator failed for (User) [91.200.12.164]:55274 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=sara)
2017-09-05 04:27:43 LOGIN authenticator failed for (User) [91.200.12.105]:51865 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=farmer)
2017-09-05 04:30:06 LOGIN authenticator failed for (User) [91.200.12.121]:54848 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=buddy)
2017-09-05 04:32:02 LOGIN authenticator failed for (User) [91.200.12.166]:61091 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=upon)
2017-09-05 04:55:24 LOGIN authenticator failed for (User) [91.200.12.164]:62485 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=sarah)
2017-09-05 04:55:24 LOGIN authenticator failed for (User) [91.200.12.165]:51657 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=someone)
2017-09-05 05:03:42 LOGIN authenticator failed for (User) [91.200.12.105]:59078 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=farmers)
2017-09-05 05:09:10 LOGIN authenticator failed for (User) [91.200.12.121]:62060 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=build)
2017-09-05 05:12:27 LOGIN authenticator failed for (User) [91.200.12.166]:51923 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=ups)
2017-09-05 05:33:26 LOGIN authenticator failed for (User) [91.200.12.164]:53321 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=sat)
2017-09-05 05:33:26 LOGIN authenticator failed for (User) [91.200.12.165]:58869 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=somethin)
2017-09-05 05:40:00 LOGIN authenticator failed for (User) [91.200.12.105]:49912 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=fast)
2017-09-05 05:48:34 LOGIN authenticator failed for (User) [91.200.12.121]:52896 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=building)
2017-09-05 05:53:00 LOGIN authenticator failed for (User) [91.200.12.166]:59136 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=uranus)
2017-09-05 06:11:20 LOGIN authenticator failed for (User) [91.200.12.165]:49705 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=son)
2017-09-05 06:11:21 LOGIN authenticator failed for (User) [91.200.12.164]:60535 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=saturn)
2017-09-05 06:16:06 LOGIN authenticator failed for (User) [91.200.12.105]:57124 I=[192.168.1.224]:25: 535 Incorrect authentication data (set_id=father
Is there a way to make some sort of selective fail2ban setting that would catch such attacks in a way other than just increasing findtime
and bantime
to several hours?