dictionary attack defense
Cliff Hayes
chayes at afo.net
Wed Oct 22 15:55:25 UTC 2014
Good idea!
Thanks!
On 10/22/2014 3:55 AM, Reindl Harald wrote:
>
> Am 22.10.2014 um 05:59 schrieb Cliff Hayes:
>> a) I read about auth_failure_delay even before I posted my question and
>> I could not figure out the one-line explanation in the dovecot wiki:
>> "Number of seconds to delay before replying to failed authentications."
>> It's delaying a reply. Does that mean the hacker can keep asking as
>> fast as he wants? Is it per user or per IP?
>
> it does not help him to ask fast
> he needs responses too and can't open endless connections parallel
>
>> b) I'm familiar with mail_max_userip_connections = x, but I'm not
>> familiar with the time limit you mention.
>
> iptables
>
> 0 0 REJECT tcp -- eth0 * !192.168.196/24
> 0.0.0.0/0 multiport dports 110,143,993,995 ctstate NEW
> recent: UPDATE seconds: 1800 hit_count: 100 name: dovecot2 side: source
> mask:
> 255.255.255.255 reject-with icmp-port-unreachable
> 4 256 REJECT tcp -- eth0 * !192.168.196/24
> 0.0.0.0/0 multiport dports 110,143,993,995 ctstate NEW
> recent: UPDATE seconds: 300 hit_count: 50 name: dovecot1 side: source
> mask: 2
> 55.255.255.255 reject-with icmp-port-unreachable
> 0 0 REJECT tcp -- eth0 * !192.168.196/24
> 0.0.0.0/0 multiport dports 25,465,587 ctstate NEW recent:
> UPDATE seconds: 1800 hit_count: 75 name: postfix2 side: source mask: 255.2
> 55.255.255 reject-with icmp-port-unreachable
> 9 448 REJECT tcp -- eth0 * !192.168.196/24
> 0.0.0.0/0 multiport dports 25,465,587 ctstate NEW recent:
> UPDATE seconds: 300 hit_count: 40 name: postfix1 side: source mask: 255.25
> 5.255.255 reject-with icmp-port-unreachable
> 0 0 DROP udp -- eth0 * !192.168.196/24
> 0.0.0.0/0 ctstate NEW recent: UPDATE seconds: 2 hit_count: 75
> name: udpflood side: source mask: 255.255.255.255
> 0 0 DROP tcp -- eth0 * !192.168.196/24
> 0.0.0.0/0 ctstate NEW recent: UPDATE seconds: 2 hit_count: 75
> name: DEFAULT side: source mask: 255.255.255.255
> 0 0 DROP tcp -- eth0 * !192.168.196/24
> 0.0.0.0/0 multiport dports 25,80,443,465,587 tcp
> flags:0x17/0x02 #conn src/32 > 75
> 0 0 DROP tcp -- eth0 * !192.168.196/24
> 0.0.0.0/0 multiport dports 25,80,443,465,587 tcp
> flags:0x17/0x02 #conn src/24 > 150
> 0 0 DROP tcp -- eth0 * !192.168.196/24
> 0.0.0.0/0 multiport dports 25,80,443,465,587 tcp
> flags:0x17/0x02 #conn src/16 > 175
> 0 0 DROP tcp -- eth0 * !192.168.196/24
> 0.0.0.0/0 multiport dports 25,80,443,465,587 tcp
> flags:0x17/0x02 #conn src/8 > 200
>
>> On 10/21/2014 5:02 PM, Reindl Harald wrote:
>>>
>>>
>>> Am 21.10.2014 um 23:28 schrieb Cliff Hayes:
>>>> Does dovecot have any dictionary attack defenses yet?
>>>> In the past I have had to implement defense from outside dovecot, but
>>>> since dovecot is at the front lines and therefore is the first to know
>>>> I'm hoping by now there is something we can set. For example, a limit
>>>> on access failures per minut/hour/day or some such. If not why not?
>>>
>>> no - but you can set "auth_failure_delay = 5" and limit new connections
>>> per IP to something around 40 per 5 minutes and 100 per 30 minutes which
>>> stops many of them or at least limit the amount of tries dramatically
>
More information about the dovecot
mailing list