[Dovecot] Logging passwords on auth failure/dealing with botnets
/dev/rob0
rob0 at gmx.co.uk
Thu Aug 22 19:45:03 EEST 2013
On Thu, Aug 22, 2013 at 04:16:51PM +0000, Michael Smith (DF) wrote:
> Or another option, is there any good DNS based RBLs for botnet IPs,
> and is there any way to tie that in to the dovecot auth system?
> I've been looking for botnet rbls, but what I've found so far
> doesn't seem to work very well. Most of the IPs that I've had to
> firewall don't exist in them.
I guess I would first have tried Spamhaus XBL, but I guess you
checked that already.
The problem with using XBL, anyway, is that you might have legitimate
logins from listed hosts. Example: a traveler using hotel wifi. We
(TINW) really would need a new DNSBL type (or a special result) for
this sort of abuse.
It's a nice idea, worth building upon, if someone can fund it (or
find the time to develop it, which really amounts to the same thing.)
Imagine also a Dovecot network of reporters, where brute force
attempts worldwide are reported from Dovecots to the DNSBL, not
merely a one-way tie in.
I'd also suggest listing SSH brute force attacks in the same DNSBL,
possibly with a different result (127.0.0.$port, so IMAP attackers
list as 127.0.0.143, SSH attackers as 127.0.0.22. Yes, we'd have to
incorporate the third quad for ports > 255, but the general idea is
for result codes to be both machine and human readable as much as
possible.)
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
More information about the dovecot
mailing list