Monitor dovecot/postfix auth attacks in realtime with this simple script :
root@messagerie[10.10.10.19] ~ # /root/SCRIPTS/MAIL/mailcop -f
Oct 17 10:57:07 mantenimiento 61.69.108.150:
Oct 17 11:01:20 marco 117.56.187.240:
Oct 17 11:03:37 margo 177.179.246.135:
Oct 17 11:08:10 marianne 177.179.98.220:
Oct 17 11:10:16 marion 115.75.0.178:
Oct 17 11:11:00 k.benismael@mydomain.tld 10.10.10.19:
Oct 17 11:15:06 boultiour.mess@mydomain.tld 110.249.221.130:
Oct 17 11:15:39 boultiour.mess 61.185.139.72:
Oct 17 11:17:02 mary 177.43.213.86:
Oct 17 11:23:41 matt 201.33.193.166:
Oct 17 11:28:01 i.chaouati@mydomain.tld 10.10.10.19:
Oct 17 11:32:33 mb 91.237.124.222:
Oct 17 11:34:54 mcbride 187.94.111.100:
Oct 17 11:43:32 michel 179.185.95.114:
Oct 17 11:46:37 i.aitahmed 10.10.10.19:
Oct 17 11:52:10 monica 200.49.145.161:
Oct 17 11:54:23 moreno 190.86.183.117:
-
You need to set auth_debug = yes in /etc/dovecot/conf.d/10-logging.conf
-
If you want to also monitor SASL attacks, you need to configure your SMTP server to use dovecot for SASL authentication.
-
You'll also need to install the geoiplookup command
-
If you're using fail2ban, the script also shows last banned IPs but you need to install shorewall and configure fail2ban actions to use
shorewall droporshorewall logdrop.
No installation required, just download the scripts in some directory, then either execute mailcop -f (follow) for realtime reporting or mailcop and mailcop -a to report past attacks (-a for all attacks). You can also call any of mailcop-ips, mailcop-logins or mailcop-countries for stats about IP, logins and countries that attacks originate from. mailcop-info on any IP, country or login to get corresponding attacks. The -a switch works with all mailcop* commands and will scan all dovecot log files instead of just dovecot.log (usually 24h).
You can get stats with mailcop-ips, mailcop-logins and mailcop-countries
Here's how they look
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # ./mailcop-ips
[...]
154.235.28.12 3 IP Address not found
179.185.95.114 3 BR, Brazil
84.241.175.107 3 NL, Netherlands
91.237.124.222 3 UA, Ukraine
171.11.77.194 5 CN, China
10.10.10.19 8 IP Address not found
If one IP in particular catches your attention, you can list its attacks by supplying an argument to mailcop-info:
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # ./mailcop-info 84.241.175.107
Oct 17 06:27:47 dummy
Oct 17 07:48:37 gavin
Oct 17 09:42:42 kato
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL #
You can also list attacks by country
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # ./mailcop-countries
[...]
2 Taiwan
2 Turkey
3 India
4 Netherlands
4 Vietnam
6 Brazil
7 Russian Federation
7 United States
59 China
And here I can see what accounts are trying to get hacked the most :
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # ./mailcop-logins
[...]
4 aine3
4 aine3@mydomain.tld
4 aisonradio
4 aisonradio@mydomain.tld
4 blanc_antenne
4 blanc_antenne@mydomain.tld
4 blank_control@mydomain.tld
5 a.chaouche
17 application@mydomain.tld
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL #
By supplying an argument to mailcop-info, I can also track when did attacks occure with a specific login :
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # ./mailcop-info hamel
Oct 17 10:14:43 y.hamel@mydomain.tld
Oct 17 10:15:16 y.hamel
Oct 16 11:00:27 y.hamel@mydomain.tld
Oct 16 11:01:26 y.hamel
Oct 16 20:13:59 y.hamel@mydomain.tld
Oct 16 20:14:35 y.hamel
Oct 17 03:19:22 y.hamel@mydomain.tld
Oct 17 03:19:49 y.hamel
Oct 15 13:03:25 y.hamel@mydomain.tld
Oct 15 13:03:59 y.hamel
Oct 15 20:16:09 y.hamel@mydomain.tld
Oct 15 20:16:39 y.hamel
Oct 16 03:28:14 y.hamel@mydomain.tld
Oct 16 03:29:05 y.hamel
Oct 14 07:36:11 y.hamel@mydomain.tld
Oct 14 07:36:39 y.hamel
Oct 14 14:24:49 y.hamel@mydomain.tld
Oct 14 14:27:18 y.hamel
Oct 14 21:11:42 y.hamel@mydomain.tld
Oct 14 21:12:15 y.hamel
Oct 13 11:47:13 y.hamel@mydomain.tld
Oct 13 11:47:50 y.hamel
Oct 13 18:49:22 y.hamel@mydomain.tld
Oct 13 18:49:53 y.hamel
Oct 14 01:04:20 y.hamel@mydomain.tld
Oct 14 01:04:50 y.hamel
Oct 12 11:10:00 y.hamel@mydomain.tld
Oct 12 11:10:28 y.hamel
Oct 12 18:01:17 y.hamel@mydomain.tld
Oct 12 18:02:00 y.hamel
Oct 13 00:15:44 y.hamel@mydomain.tld
Oct 13 00:16:14 y.hamel
Oct 11 07:10:16 y.hamel@mydomain.tld
Oct 11 07:10:43 y.hamel
Oct 11 17:56:40 y.hamel@mydomain.tld
Oct 11 17:57:06 y.hamel
Oct 12 04:17:56 y.hamel@mydomain.tld
Oct 12 04:18:24 y.hamel
Oct 10 18:46:53 y.hamel@mydomain.tld
Oct 10 18:47:31 y.hamel
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL #
mailcop-mailer is meant to be run as a cron job that would send daily statistics about failed authentication attempts on your mail server. It simply calls the different mailcop-* commands and concatenates the output in a single e-mail. Here's an example mail it sends :
_ __ __ _(_) |__ ___ _ __
| ' \/ _` | | / _/ _ \ '_ \
|_|_|_\__,_|_|_\__\___/ .__/
|_|
Statistiques des dernières attaques sur notre serveur de messagerie
Début : Oct 16 06:26:23
Fin : Oct 17 06:12:26
Nombre d'attaques : 360
Top 10 des pays
---------------
29 China
16 Brazil
7 Argentina
6 Australia
4 Colombia
3 Vietnam
3 Taiwan
2 South Africa
2 Peru
2 Malaysia
Top 10 des addresses IP
-----------------------
10.10.10.19 19 IP Address not found
41.226.11.226 10 TN, Tunisia
200.77.217.106 10 MX, Mexico
181.143.94.74 10 CO, Colombia
181.143.83.140 9 CO, Colombia
118.163.4.1 8 TW, Taiwan
103.6.12.229 8 AU, Australia
93.207.49.135 7 DE, Germany
61.69.110.138 7 AU, Australia
190.2.52.53 7 AR, Argentina
Top 10 des logins utilisés
--------------------------
8 info
6 radiomitidja
5 sde
4 t.meziane@radioalgerian-gmail.dz
4 relex@mydomain.tld
4 it
4 badmin@mydomain.tld
4 arch-admin@mydomain.tld
3 y.hamen@mydomain.tld
3 y.hamen
Dernières attaques
------------------
Oct 17 05:33:30 culture 91.183.212.186:
Oct 17 05:37:51 custodia 123.56.151.114:
Oct 17 05:42:08 cynthia 41.191.224.5:
Oct 17 05:44:20 dalton 91.183.212.186:
Oct 17 05:50:54 daniele 118.163.4.1:
Oct 17 05:59:29 db 115.75.0.178:
Oct 17 06:01:39 dealer 123.56.151.114:
Oct 17 06:05:58 diane 181.143.83.140:
Oct 17 06:08:10 dimas 118.163.4.1:
Oct 17 06:12:26 direccion 93.207.49.135:
Les 10 dernières addresses bloquées
-----------------------------------
pkts bytes target prot opt in out source destination
6 304 reject all -- * * 123.52.76.74 0.0.0.0/0
0 0 reject all -- * * 60.167.113.119 0.0.0.0/0
21 1064 reject all -- * * 103.6.12.229 0.0.0.0/0
3 144 reject all -- * * 118.113.45.212 0.0.0.0/0
7 420 reject all -- * * 200.77.217.106 0.0.0.0/0
9 456 reject all -- * * 181.143.94.74 0.0.0.0/0
6 304 reject all -- * * 182.38.33.36 0.0.0.0/0
6 304 reject all -- * * 59.25.144.187 0.0.0.0/0
3 152 reject all -- * * 41.162.66.100 0.0.0.0/0
The last listing is that of the shorewall show dyanmic command (shorewall needed)
Questions / criticisme to @ychaouche