[Dovecot] Logging passwords on auth failure/dealing with botnets

Joseph Tam jtam.home at gmail.com
Fri Aug 23 07:30:27 EEST 2013


"Michael Smith (DF)" writes:

> Or another option, is there any good DNS based RBLs for botnet IPs, and
> is there any way to tie that in to the dovecot auth system? I've been
> looking for botnet rbls, but what I've found so far doesn't seem to
> work very well.  Most of the IPs that I've had to firewall don't exist
> in them.

/dev/rob0 writes:

> The problem with using XBL, anyway, is that you might have legitimate
> logins from listed hosts. Example: a traveler using hotel wifi. We
> (TINW) really would need a new DNSBL type (or a special result) for
> this sort of abuse.
>
> It's a nice idea, worth building upon, if someone can fund it (or
> find the time to develop it, which really amounts to the same thing.)
> Imagine also a Dovecot network of reporters, where brute force
> attempts worldwide are reported from Dovecots to the DNSBL, not
> merely a one-way tie in.
>
> I'd also suggest listing SSH brute force attacks in the same DNSBL,
> possibly with a different result (127.0.0.$port, so IMAP attackers
> list as 127.0.0.143, SSH attackers as 127.0.0.22. Yes, we'd have to
> incorporate the third quad for ports > 255, but the general idea is
> for result codes to be both machine and human readable as much as
> possible.)

I use bl.blocklist.de as a DNSRBL for ssh BFD, but I think it also
detects BFD for other protocols:

 	http://www.blocklist.de/en/index.html

The nice thing about this RBL is that you can also contribute by
configuring your Fail2Ban/DenyHost to forward logs to the maintainers,
to widen the detection network.  I get about a 60% hit on ssh BFD attacks.

I also found

 	http://openbl.org

but they distribute it as a downloadable file rather than as a DNSRBL.
Maybe I can introduce the latter to the former.

Joseph Tam <jtam.home at gmail.com>


More information about the dovecot mailing list