Good morning,
I use Dovecot as an IMAP server and I have a few users (association/company) who share an IP… I have had cases where the “dovecot-spam” scenario https://app.crowdsec.net/hub/author/crowdsecurity/configurations/dovecot-spam is triggered rightly because an email client had a poorly configured mailbox (bad password) and/or a password is changed and the time to modify that on the messaging client it’s already too late, it’s blacklisted… And when it’s blacklisted all other users (who use the same IP) of the entity are blocked.
To avoid this I would like to create a dynamic whitelist: when Dovecot authentication is successful, we add this IP to the whitelist for ~24 hours.
I think I managed to do the parser for that:
onsuccess: next_stage
filter: "evt.Parsed.program == 'dovecot'"
name: crowdsecurity/dovecot-auth-parser
description: "Parse dovecot logs"
pattern_syntax:
DOVECOT_SUCCESS_LOGIN: 'imap-login: Login: user=<%{EMAILADDRESS:email}>, method=%{WORD:method}, rip=%{IPV4:source_ip}'
nodes:
- grok:
name: "DOVECOT_SUCCESS_LOGIN"
apply_on: message
statics:
- meta: log_type
value: dovecot_auth_succcess
It works (I followed the doc to create a test environment: Creating parsers | CrowdSec) and here is the result:
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "imap-login: Login: user=<user@domaine.com>, method=PLAIN, rip=X.Y.124.127, lip=A.B.A.B, mpid=2191284, TLS, session=<XkY34nwc5MGfRXx/>"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["method"] == "PLAIN"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "dovecot"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "X.Y.124.127"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Jul 5 11:42:37"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "myservice-logs.log"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "dovecot_auth_succcess"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "master"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2024-07-05T11:42:37Z"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2024-07-05T11:42:37Z"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false
But I can’t understand/know where to create my whitelist, if it’s in a parsers/s02-enrich:
name: crowdsecurity/whitelists-dovecot
description: "Whitelist dovect"
whitelist:
reason: "Dovecot logins success"
expression:
- "evt.Meta.log_type == 'dovecot_auth_success'"
Or if it’s more of a scenario:
name: crowdsecurity/dovecot-whitelist
description: "Automatically whitelist IPs based on successful authentication"
filter: "evt.Meta.log_type == 'dovecot_auth_success'"
groupby: evt.Meta.source_ip
whitelist:
reason: "Successful authentication"
duration: 24h
None seem to have any effect (and/or I don’t know how to consult the whitelist…) I tell myself that if it’s a scenario it should be visible in “cscli alert” but if it’s in the parser, how to know the whitelisted IPs?
Thanks for your help,
David