[Dovecot] limiting number of login attempts from same ip
Nikolaos Milas
nmilas at noa.gr
Thu Jun 16 13:12:15 EEST 2011
On 16/6/2011 12:34 πμ, Ed W wrote:
> I don't see why fail2ban would have anything to do with ipv6 since it
> simply runs a script when something needs doing? Just adapt your script?
> Not having tried it, but possibly the regexps need tweaking also?
Thanks Ed. You could be right. It could work, *if* fail2ban engine does
not do any particular internal processing with IP addresses in order to
implement the rules logic (which I doubt; for example, when it adds
iptables rules, it refers to ip address as <ip> - see below). In the
official fail2ban site:
http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#IPv6,
we don't see any solution related to IPv6.
If it's feasible, I wonder why we can't find anything about that in the
Internet or in fail2ban site. No one has done it yet? On the contrary,
we can find ample "complaints" that fail2ban won't work with IPv6.
Nowhere can we find ipv6 "filters" and "actions" for fail2ban. If
someone (has time and) is sufficiently competent with
iptables/ip6tables, then he could try to prepare such actions (and
create filters with regex expressions to catch ipv6 events from logs
too) and then give it a try.
For example, one could then add in jail.conf (after creating
dovecot-pop3imap-ipv6.conf and ip6tables-multiport.conf):
[dovecot-pop3imap-ipv6]
enabled = true
filter = dovecot-pop3imap-ipv6
action = ip6tables-multiport[name=dovecot-pop3imap,
port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/dovecot.log
maxretry = 10
findtime = 600
bantime = 1800
My guess is that fail2ban engine must be extended to "understand" ipv6
addresses and handle ip6tables appropriately.
> On a related note, recent kernels (and old kernels can build a module)
> implement "ipset". This is a way to implement a named hash of
> IPs/Ports/MACs, etc. The point is to use a single iptables rule to do
> something with your ipset, then you have the ability to dynamically
> alter the ipset as you will without needing to reload iptables rules
It sounds interesting. I'll take a look on it, when I have time. Still,
one would have to update fail2ban (and/or other software) to use ipset
instead of standard iptables (which will take at least some effort).
> (I believe that iptables is still unable to be altered dynamically? Each
> time you *think* you are inserting a rule, actually you are dropping the
> entire ruleset, then reinserting the entire new ruleset with one extra
> rule. This creates a window of opportunity each time you innocently
> insert a new rule. Further it explains the O(n^2) speed of running
> "iptables -A" or similar)
Actually, iptables can be altered dynamically; For example, the
iptables-multiport action does:
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
"iptables -A" runs only when fail2ban starts.
Nick
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6762 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20110616/99f12f35/attachment-0001.bin>
More information about the dovecot
mailing list