2018-06-22
Slow password guessing for imaps
Interesting in the logs:Jun 19 21:22:29 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.9] Jun 19 21:23:30 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.9] Jun 19 21:27:05 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.11] Jun 19 21:31:58 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.11] Jun 19 22:27:15 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.9] Jun 19 22:30:10 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.9] Jun 19 22:44:17 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.11] .. Jun 22 14:23:39 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.11] Jun 22 14:24:35 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.11] Jun 22 15:20:05 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.9] Jun 22 15:21:01 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.9] Jun 22 15:29:18 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.11] Jun 22 15:30:06 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.11]Every time fail2ban blocks the addresses for a while but the attacker is more persistant than that.