Extra security question

Turtle

So this is not a critical problem, and quite frankly its ok for this to happen.

Im running mailcow and in netfilter i notice a few things. It works very good, its good and blocks. But i wondered how one would defend from Distributed Brute Force Attack, like if a botnet tries to guess both username and password from “193.1.234.1” but then try again with “193.1.234.2”. And if it keeps going like this it has as many tries as you allow for each ip which sometimes can be a few or it can be a large amount. The problem is that itrs not possible to directly (from what i know) use logic to detect subnet attacks from botnets. So my question is if there are any ways of mitigating this in terms of security and perfomance.

As said this is in a way fixed by the way it bans a subnet from one ip ban but you know what i mean.

Thank you!

D4niel

You can mitigate this by using strong passwords and 2FA. Netfilter is made to weaken those attacks, not prevent them entirely.
If you’re looking for another technical solution you can checkout tools like Crowdsec. There are some posts about it on the forum.

Netfilter is able to block subnets btw: https://docs.mailcow.email/manual-guides/mailcow-UI/u_e-mailcow_ui-netfilter/

Turtle

D4niel Thank you for the answer. I know about Crowdsec yes, they are good. And yes using a strong password and especially using 2FA will near mitigate it. But i do see an opprertunity to atleast weaken the attacks more. This was not a way for me to attack i just wanted to know if there would be any way it could be a little better, with a slight tweak

Thank you for your answer

Edit: when i think about it now the subnet thing was exactly what i kinda meant, just change it to /24 and were good

ETNyx

This is double edge sword, blocking /24 can crossfire and block legit traffic easy, imagine what will happen when one of your users block him/her self using mobile network or small ISP,…

Turtle

ETNyx Yes i get that, but the thing is as of now im the only one using it, and so for me it benefits. And also, when blocking /24 you could increase the amount of acceptable password attemts to be able to allow a little more room for a good amount of more security. In the same sense one could send a sms or notify the admin of some sort to be able to reset the block, or in worst case have a failsafe like a code that can be typed to be able to get in either way. But thank you for your answer!

ETNyx

Sure, if you are solo user, life is much easier, go for it :-)

disgustipated

you might want to explore putting some sort of firewall or network appliance in front of your mail server that can handle things like this. a firewall like pfsense, while there is a learning curve, can utilize lists pulled from other sources that maintain block lists from suspect IP addresses. there are services like snort and pfblockerng which will automatically block IPs which are known troublemakers and botnets.