I am receiving a lot of penetration attempts from a hugh list of proxies to the Dovecot service
like the following:
2014-01-31 11:43:49 dovecot_login authenticator failed for 68-188-72-60.static.stls_mo-charter_com (192.168.2.33) [68.188.72.60]:3868: 535 Incorrect authentication data (set_id=jacqueline)
This happens all time, for the moment with only a single attacker, and as you can see there is an Internal IP address 192.168.2.33 associated with the proxys, that cannot be blocked.
Suggested Solution: To BLOCK all IP addresses connected to a same Internal Address that tried unsuccessfully to login after some time. Keep in mind that these area distributed attacks.
Another solution would be to filter MAC addresses, entering them after some analysis, with the same criteria as for Internal Addresses. This would be possible for those protocols where MAC addresses can be obtained.
To FILTER MAC addresses and/or Internal IP addresses
Re: To FILTER MAC addresses and/or Internal IP addresses
The only way for CSF is to block IPs not MAC addresses, in your error the IP to block is where it started the connection: 68.188.72.60
Now, you will have a lot of IPs that are generating that errors, to watch them go to SEARCH SYSTEM LOGS in your CSF and write the phrase:
535 Incorrect authentication data
chances are that you will see a lot of lines with a lot of attempts to login a lot of them with words like "access, accounting, acer, adm, admin, advent, advertising, apple, asus, avahi".
You can create a rule in CSF to block for this, add the rule in regex.custom.pm
Now, you will have a lot of IPs that are generating that errors, to watch them go to SEARCH SYSTEM LOGS in your CSF and write the phrase:
535 Incorrect authentication data
chances are that you will see a lot of lines with a lot of attempts to login a lot of them with words like "access, accounting, acer, adm, admin, advent, advertising, apple, asus, avahi".
You can create a rule in CSF to block for this, add the rule in regex.custom.pm