Protect your IBM Lotus Domino Server against brute force attacks on non HTTP ports01/30/2009 10:30 AM
I am sure you are familiar with Internet Password Lockout which was added in version 8. It's a nice feature everybody likes to use having a Domino Server reachable from all the Internet. Unfortunately this feature works for HTTP and HTTPS only. If you use authenticated SMTP, for example allow some mobile users to relay emails, there is no protection....01/23/2009 19:50:37 SMTP Server: Authentication failed for user abc ; connecting host 125.120.107.140
01/23/2009 19:50:38 SMTP Server: Authentication failed for user abc ; connecting host 125.120.107.140
01/23/2009 19:50:39 SMTP Server: Authentication failed for user abc ; connecting host 125.120.107.140
01/23/2009 19:50:40 SMTP Server: Authentication failed for user abc ; connecting host 125.120.107.140
01/23/2009 19:50:41 SMTP Server: Authentication failed for user abc ; connecting host 125.120.107.140
# Domino format [01/23/2006 09:22:55]
template = DateStrptime()
template.setName("Month/Day/Year Hour:Minute:Second")
template.setRegex("\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2}")
template.setPattern("%m/%d/%Y %H:%M:%S")
self.__templates.append(template)
# Fail2Ban configuration file
#
# Author: Christian A. Brandlehner
#
# $Revision: 001 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT
#
# Sample log entry
# 01/23/2009 19:54:51 SMTP Server: Authentication failed for user bd ; connecting host 125.120.107.140
#
failregex = .* SMTP Server: Authentication failed for user .* connecting host <HOST>
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
[domino-smtp]
# Note: make sure you have console logging enabled. If not say "start consolelog" on Dominos console.
enabled = true
port = smtp,465
protocol = tcp
filter = domino-smtp
logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log
2009-01-30 09:56:14,216 fail2ban.actions: WARNING [domino-smtp] Ban 90.152.223.221
1. Ninke Westra01/30/2009 12:28:01
Homepage: http://woonjas.linuxnerd.org
Thanks. I've been meaning to look into setting up something like that for a while, you just saved me some time 
2. Oliver Regelmann01/30/2009 14:25:22
Homepage: http://regelmann.ch
There are some resources in the web describing how to fight brute force attacks with iptables itself, without having to use fail2ban. AFAIK they just limit the amount of new connections to a specific port within a specific time.
Wouldn't this be enough?
3. Gallant02/02/2009 03:18:41
Homepage: http://www.gallantgifts.com
Excellent information.
Thanks...
We are working on getting our site mobile ready.
4. Christian Brandlehner02/03/2009 18:23:26
Homepage: http://chris.brandlehner.at
@2: restricting IPs based on the number of connections may work but seems to be much more complex and hard to configure as it is hard to tell how many connections per second are normal and which number exceeds normal. You may accidentially block the google spider why you do not block an attacker who does a slow brute force attack being below your treshold.
I would see connection per time based blocking as an additional feature to prevent a downtime caused by a distributed denial of service attack where you are facing lots of IPs per port.
5. Andrew Pollack06/22/2009 14:46:21
Homepage: http://www.thenorth.com/apblog
Nice solution.
6. Evan Swans07/04/2009 19:14:24
Homepage: http://systoolssoftware.wordpress.com
Can we use the similar solution for Windows? We are strugling with the Windows.
7. Christian Brandlehner07/06/2009 09:26:43
Homepage: http://chris.brandlehner.at
@6: I never saw anybody control the Windows Firewall using a scripting engine, not sure if its possible. If you find a solution please let me know.
