[Samba] check accounts for known bad passwords

Fri Jul 21 13:35:06 UTC 2017

Hi Louis,

Thanks for your message, and it seems we are doing pretty similar 
things. Yesterday evening I implementen the geo-ip blocking you 
mentioned, and I even followed the same page as you pointed our, btw :-)

This worked out _very_ well. Blocked several countries, and this 
basically stopped the attacks.

For the spam / virus filtering: this is also done on the UTM, with all 
kinds of sophos intelligence, and it's working very well, no complaints 
there.

I also implemented this: https://github.com/trick77/ipset-blacklist 
perhaps you'll find it interesting too.

I also run (and ran already) fail2ban yes, but I also implemented some 
specific rules to match those passwords the botnet likes to try, and 
those are blocked immediately, and permanently.

(those rules are running next to the regular config, where users can try 
three times and are unbanned after 10 minutes)

But since the geo-ip blocking is in place, we don't get them anymore.

Anyway, thanks for the tips!

MJ

On 07/21/2017 09:32 AM, L.P.H. van Belle via samba wrote:
> Hai M-J,
> 
> Bit off topic for samba, but handy to know.
> ah, yes, did not know that site, handy also.
> 
> I use iptables ipset geoip fail2ban and ufw combined.
> Bit of these combined.
> http://blog.jeshurun.ca/technology/block-countries-ubuntu-iptables-xtables-geoip
> https://www.dghost.com/techno/internet/banning-an-entire-country-with-iptablesipset
> https://tipstricks.itmatrix.eu/blocking-all-traffic-from-individual-countries-using-ipset-and-iptables/
> 
> My setup is as followed,
> 
> Ufw and geoip for country blocking and regular rules.
> For example, Port 25/80/443 open for the world, all other are restricted to countries, (Where possible.)
> 
> Fail2ban monitor a service logs, abuse, > 1 day block. ( use ipset here )
> Why 1 day, spammers often return within a day, so if they do that they exend the block a day.
> The use of ipset, i do that here, because of the ammount of blocks i have.
> Normaly, about 1500 ips are blocked daily, and its better to have this in ipset that iptables.
> Its faster in the hash tables and can handle up to about 65k rules.
> 
> I do this for example on my mail relay/antispam.
> Cpu load dropped about 20%, spam mail getting through dropped about 80%.
> from 10k mails through the antispam back to about 1.5k.
> Also due the good use of postfix/postscreen.
> 
> If you need more tips, you can pm me ;-)
> 
> 
> Greetz,
> 
> Louis
> 
> 
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj via samba
>> Verzonden: donderdag 20 juli 2017 17:23
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] check accounts for known bad passwords
>>
>> Hi,
>>
>> Yes it seems we are interesting.
>>
>> Following your advise, I have just started blocking whole
>> countries, based on info found here:
>>
>> https://www.iplocation.net/
>>
>> (started with china, and now also Venezuela, the Korea's
>> Sudan, Indonesie and India.
>>
>> That seems to help astonishingly good, thanks!
>>
>> MJ
>>
>> On 07/20/2017 04:19 PM, L.P.H. van Belle via samba wrote:
>>> Hai M-J.
>>>
>>> Still under attack..,,
>>>
>>> A better thing maybe if possible for you..
>>> Restrict imap/pop ports to only allow ips from netherlands
>> through your firewall.
>>>
>>> Now, if they are comming from within you own country, which
>> makes it much more easy for legal steps.
>>>
>>> Do you have one attacker ip for me, i'll do some checks.
>>>
>>> And i found this:
>>> https://www.mylinuxplace.com/samba-password-complexity-check/
>>> Just dont know if that wil work for you, you have to try it out.
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> mj via samba
>>>> Verzonden: donderdag 20 juli 2017 15:52
>>>> Aan: samba
>>>> Onderwerp: [Samba] check accounts for known bad passwords
>>>>
>>>> Hi,
>>>>
>>>> Des anyone know if a script of some sort or way to check my samba
>>>> accounts for known bad passwords, such as "123321", "1q2w3e", and
>>>> such?
>>>>
>>>> We are currently the target by a botnet, trying out those easy
>>>> passwords on our imap server. While many (all?) of our users have
>>>> good complex paswords, I am not 100% sure about
>>>> *all* of them. If possible I'd like to disable their
>> accounts, in the
>>>> case of such bad passwords.
>>>>
>>>> It would be good if such a snippet would bypass the
>>>> bad_password_count policies, etc, so that I could scan accounts
>>>> without them becoming locked due to too many failed passwords.
>>>>
>>>> Anyone with an idea how to do this?
>>>>
>>>> MJ
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> 
> 