Since quite a few days the typical bride-force of botnets trying to guess login details on my mail server are quite active again. Fresh food for my blocklists

Jan Wildeboer 😷:krulorange:

Since quite a few days the typical brute-force of botnets trying to guess login details on my mail server are quite active again. Fresh food for my blocklists

Jan Wildeboer 😷:krulorange:

They typically try once every 24-96 hours and hope that they don't trigger some limit and stay undetected that way. I block on sight for 1 year after the first try

Tim Lavoie

@jwildeboer Oh, I should do that. I block on 12 hours after a single attempt, but they do come back (slowly).

Jan Wildeboer 😷:krulorange:

@tim_lavoie It's typically botnets, using thousands of different IP addresses of infected (windows machines and collecting results centrally. Quite the smart approach as in most cases this stay below the detection level so they can test millions of passwords in a relatively short time period. Blocking on sight for a long time has worked remarkably well on my server.

ⅇⅆⅈ

@jwildeboer
Same here.
Do you think it helps to excange blocklists?

Jan Wildeboer 😷:krulorange:

@edi It's why I use https://www.crowdsec.net on my public servers. Every blocked IP gets collected by them and distributed to others (it's open source and you can use it for free)

Jan Wildeboer 😷:krulorange:

@edi Just FYI: with crowdsec my mailserver is currently blocking almost 50K IP addresses collected by the community with almost no performance impact. It replaced fail2ban for me and I don't regret the switch.

(cdn.masto.host)