Web lists-archives.com

Re: [Samba] check accounts for known bad passwords




Hi Louis,

Thanks for your message, and it seems we are doing pretty similar things. Yesterday evening I implementen the geo-ip blocking you mentioned, and I even followed the same page as you pointed our, btw :-)

This worked out _very_ well. Blocked several countries, and this basically stopped the attacks.

For the spam / virus filtering: this is also done on the UTM, with all kinds of sophos intelligence, and it's working very well, no complaints there.

I also implemented this: https://github.com/trick77/ipset-blacklist perhaps you'll find it interesting too.

I also run (and ran already) fail2ban yes, but I also implemented some specific rules to match those passwords the botnet likes to try, and those are blocked immediately, and permanently.

(those rules are running next to the regular config, where users can try three times and are unbanned after 10 minutes)

But since the geo-ip blocking is in place, we don't get them anymore.

Anyway, thanks for the tips!

MJ

On 07/21/2017 09:32 AM, L.P.H. van Belle via samba wrote:
Hai M-J,

Bit off topic for samba, but handy to know.
ah, yes, did not know that site, handy also.

I use iptables ipset geoip fail2ban and ufw combined.
Bit of these combined.
http://blog.jeshurun.ca/technology/block-countries-ubuntu-iptables-xtables-geoip
https://www.dghost.com/techno/internet/banning-an-entire-country-with-iptablesipset
https://tipstricks.itmatrix.eu/blocking-all-traffic-from-individual-countries-using-ipset-and-iptables/

My setup is as followed,

Ufw and geoip for country blocking and regular rules.
For example, Port 25/80/443 open for the world, all other are restricted to countries, (Where possible.)

Fail2ban monitor a service logs, abuse, > 1 day block. ( use ipset here )
Why 1 day, spammers often return within a day, so if they do that they exend the block a day.
The use of ipset, i do that here, because of the ammount of blocks i have.
Normaly, about 1500 ips are blocked daily, and its better to have this in ipset that iptables.
Its faster in the hash tables and can handle up to about 65k rules.

I do this for example on my mail relay/antispam.
Cpu load dropped about 20%, spam mail getting through dropped about 80%.
from 10k mails through the antispam back to about 1.5k.
Also due the good use of postfix/postscreen.

If you need more tips, you can pm me ;-)


Greetz,

Louis



-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens mj via samba
Verzonden: donderdag 20 juli 2017 17:23
Aan: samba@xxxxxxxxxxxxxxx
Onderwerp: Re: [Samba] check accounts for known bad passwords

Hi,

Yes it seems we are interesting.

Following your advise, I have just started blocking whole
countries, based on info found here:

https://www.iplocation.net/

(started with china, and now also Venezuela, the Korea's
Sudan, Indonesie and India.

That seems to help astonishingly good, thanks!

MJ

On 07/20/2017 04:19 PM, L.P.H. van Belle via samba wrote:
Hai M-J.

Still under attack..,,

A better thing maybe if possible for you..
Restrict imap/pop ports to only allow ips from netherlands
through your firewall.

Now, if they are comming from within you own country, which
makes it much more easy for legal steps.

Do you have one attacker ip for me, i'll do some checks.

And i found this:
https://www.mylinuxplace.com/samba-password-complexity-check/
Just dont know if that wil work for you, you have to try it out.


Greetz,

Louis


-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
mj via samba
Verzonden: donderdag 20 juli 2017 15:52
Aan: samba
Onderwerp: [Samba] check accounts for known bad passwords

Hi,

Des anyone know if a script of some sort or way to check my samba
accounts for known bad passwords, such as "123321", "1q2w3e", and
such?

We are currently the target by a botnet, trying out those easy
passwords on our imap server. While many (all?) of our users have
good complex paswords, I am not 100% sure about
*all* of them. If possible I'd like to disable their
accounts, in the
case of such bad passwords.

It would be good if such a snippet would bypass the
bad_password_count policies, etc, so that I could scan accounts
without them becoming locked due to too many failed passwords.

Anyone with an idea how to do this?

MJ

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba