Monitor dovecot/postfix auth attacks in realtime with this simple script :
root@messagerie[10.10.10.19] ~ # /root/SCRIPTS/MAIL/mailcop -f
Oct 17 10:57:07 mantenimiento 61.69.108.150:
Oct 17 11:01:20 marco 117.56.187.240:
Oct 17 11:03:37 margo 177.179.246.135:
Oct 17 11:08:10 marianne 177.179.98.220:
Oct 17 11:10:16 marion 115.75.0.178:
Oct 17 11:11:00 [email protected] 10.10.10.19:
Oct 17 11:15:06 [email protected] 110.249.221.130:
Oct 17 11:15:39 boultiour.mess 61.185.139.72:
Oct 17 11:17:02 mary 177.43.213.86:
Oct 17 11:23:41 matt 201.33.193.166:
Oct 17 11:28:01 [email protected] 10.10.10.19:
Oct 17 11:32:33 mb 91.237.124.222:
Oct 17 11:34:54 mcbride 187.94.111.100:
Oct 17 11:43:32 michel 179.185.95.114:
Oct 17 11:46:37 i.aitahmed 10.10.10.19:
Oct 17 11:52:10 monica 200.49.145.161:
Oct 17 11:54:23 moreno 190.86.183.117:
-
You need to set auth_debug = yes in /etc/dovecot/conf.d/10-logging.conf
-
If you want to also monitor SASL attacks, you need to configure your SMTP server to use dovecot for SASL authentication.
-
You'll also need to install the geoiplookup command
-
If you're using fail2ban, the script also shows last banned IPs but you need to install shorewall and configure fail2ban actions to use
shorewall droporshorewall logdrop.
No installation required, just download the scripts in some directory, then either execute mailcop -f (follow) for realtime reporting or mailcop and mailcop -a to report past attacks (-a for all attacks). You can also call any of mailcop-ips, mailcop-logins or mailcop-countries for stats about IP, logins and countries that attacks originate from. mailcop-info on any IP, country or login to get corresponding attacks. The -a switch works with all mailcop* commands and will scan all dovecot log files instead of just dovecot.log (usually 24h).
You can get stats with mailcop-ips, mailcop-logins and mailcop-countries
Here's how they look
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # ./mailcop-ips
[...]
154.235.28.12 3 IP Address not found
179.185.95.114 3 BR, Brazil
84.241.175.107 3 NL, Netherlands
91.237.124.222 3 UA, Ukraine
171.11.77.194 5 CN, China
10.10.10.19 8 IP Address not found
If one IP in particular catches your attention, you can list its attacks by supplying an argument to mailcop-info:
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # ./mailcop-info 84.241.175.107
Oct 17 06:27:47 dummy
Oct 17 07:48:37 gavin
Oct 17 09:42:42 kato
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL #
You can also list attacks by country
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # ./mailcop-countries
[...]
2 Taiwan
2 Turkey
3 India
4 Netherlands
4 Vietnam
6 Brazil
7 Russian Federation
7 United States
59 China
And here I can see what accounts are trying to get hacked the most :
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # ./mailcop-logins
[...]
4 aine3
4 [email protected]
4 aisonradio
4 [email protected]
4 blanc_antenne
4 [email protected]
4 [email protected]
5 a.chaouche
17 [email protected]
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL #
By supplying an argument to mailcop-info, I can also track when did attacks occure with a specific login :
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # ./mailcop-info hamel
Oct 17 10:14:43 [email protected]
Oct 17 10:15:16 y.hamel
Oct 16 11:00:27 [email protected]
Oct 16 11:01:26 y.hamel
Oct 16 20:13:59 [email protected]
Oct 16 20:14:35 y.hamel
Oct 17 03:19:22 [email protected]
Oct 17 03:19:49 y.hamel
Oct 15 13:03:25 [email protected]
Oct 15 13:03:59 y.hamel
Oct 15 20:16:09 [email protected]
Oct 15 20:16:39 y.hamel
Oct 16 03:28:14 [email protected]
Oct 16 03:29:05 y.hamel
Oct 14 07:36:11 [email protected]
Oct 14 07:36:39 y.hamel
Oct 14 14:24:49 [email protected]
Oct 14 14:27:18 y.hamel
Oct 14 21:11:42 [email protected]
Oct 14 21:12:15 y.hamel
Oct 13 11:47:13 [email protected]
Oct 13 11:47:50 y.hamel
Oct 13 18:49:22 [email protected]
Oct 13 18:49:53 y.hamel
Oct 14 01:04:20 [email protected]
Oct 14 01:04:50 y.hamel
Oct 12 11:10:00 [email protected]
Oct 12 11:10:28 y.hamel
Oct 12 18:01:17 [email protected]
Oct 12 18:02:00 y.hamel
Oct 13 00:15:44 [email protected]
Oct 13 00:16:14 y.hamel
Oct 11 07:10:16 [email protected]
Oct 11 07:10:43 y.hamel
Oct 11 17:56:40 [email protected]
Oct 11 17:57:06 y.hamel
Oct 12 04:17:56 [email protected]
Oct 12 04:18:24 y.hamel
Oct 10 18:46:53 [email protected]
Oct 10 18:47:31 y.hamel
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL #
mailcop-mailer is meant to be run as a cron job that would send daily statistics about failed authentication attempts on your mail server. It simply calls the different mailcop-* commands and concatenates the output in a single e-mail. Here's an example mail it sends :
_ __ __ _(_) |__ ___ _ __
| ' \/ _` | | / _/ _ \ '_ \
|_|_|_\__,_|_|_\__\___/ .__/
|_|
Statistiques des dernières attaques sur notre serveur de messagerie
Début : Oct 16 06:26:23
Fin : Oct 17 06:12:26
Nombre d'attaques : 360
Top 10 des pays
---------------
29 China
16 Brazil
7 Argentina
6 Australia
4 Colombia
3 Vietnam
3 Taiwan
2 South Africa
2 Peru
2 Malaysia
Top 10 des addresses IP
-----------------------
10.10.10.19 19 IP Address not found
41.226.11.226 10 TN, Tunisia
200.77.217.106 10 MX, Mexico
181.143.94.74 10 CO, Colombia
181.143.83.140 9 CO, Colombia
118.163.4.1 8 TW, Taiwan
103.6.12.229 8 AU, Australia
93.207.49.135 7 DE, Germany
61.69.110.138 7 AU, Australia
190.2.52.53 7 AR, Argentina
Top 10 des logins utilisés
--------------------------
8 info
6 radiomitidja
5 sde
4 [email protected]
4 [email protected]
4 it
4 [email protected]
4 [email protected]
3 [email protected]
3 y.hamen
Dernières attaques
------------------
Oct 17 05:33:30 culture 91.183.212.186:
Oct 17 05:37:51 custodia 123.56.151.114:
Oct 17 05:42:08 cynthia 41.191.224.5:
Oct 17 05:44:20 dalton 91.183.212.186:
Oct 17 05:50:54 daniele 118.163.4.1:
Oct 17 05:59:29 db 115.75.0.178:
Oct 17 06:01:39 dealer 123.56.151.114:
Oct 17 06:05:58 diane 181.143.83.140:
Oct 17 06:08:10 dimas 118.163.4.1:
Oct 17 06:12:26 direccion 93.207.49.135:
Les 10 dernières addresses bloquées
-----------------------------------
pkts bytes target prot opt in out source destination
6 304 reject all -- * * 123.52.76.74 0.0.0.0/0
0 0 reject all -- * * 60.167.113.119 0.0.0.0/0
21 1064 reject all -- * * 103.6.12.229 0.0.0.0/0
3 144 reject all -- * * 118.113.45.212 0.0.0.0/0
7 420 reject all -- * * 200.77.217.106 0.0.0.0/0
9 456 reject all -- * * 181.143.94.74 0.0.0.0/0
6 304 reject all -- * * 182.38.33.36 0.0.0.0/0
6 304 reject all -- * * 59.25.144.187 0.0.0.0/0
3 152 reject all -- * * 41.162.66.100 0.0.0.0/0
The last listing is that of the shorewall show dyanmic command (shorewall needed)
Questions / criticisme to @ychaouche