dictionary attack defense

Cliff Hayes chayes at afo.net
Wed Oct 22 15:55:25 UTC 2014


Good idea!
Thanks!

On 10/22/2014 3:55 AM, Reindl Harald wrote:
>
> Am 22.10.2014 um 05:59 schrieb Cliff Hayes:
>> a) I read about auth_failure_delay even before I posted my question and
>> I could not figure out the one-line explanation in the dovecot wiki:
>> "Number of seconds to delay before replying to failed authentications."
>>   It's delaying a reply.  Does that mean the hacker can keep asking as
>> fast as he wants?  Is it per user or per IP?
>
> it does not help him to ask fast
> he needs responses too and can't open endless connections parallel
>
>> b) I'm familiar with mail_max_userip_connections = x, but I'm not
>> familiar with the time limit you mention.
>
> iptables
>
>      0     0 REJECT     tcp  --  eth0   *      !192.168.196/24
> 0.0.0.0/0            multiport dports 110,143,993,995 ctstate NEW
> recent: UPDATE seconds: 1800 hit_count: 100 name: dovecot2 side: source
> mask:
>   255.255.255.255 reject-with icmp-port-unreachable
>      4   256 REJECT     tcp  --  eth0   *      !192.168.196/24
> 0.0.0.0/0            multiport dports 110,143,993,995 ctstate NEW
> recent: UPDATE seconds: 300 hit_count: 50 name: dovecot1 side: source
> mask: 2
> 55.255.255.255 reject-with icmp-port-unreachable
>      0     0 REJECT     tcp  --  eth0   *      !192.168.196/24
> 0.0.0.0/0            multiport dports 25,465,587 ctstate NEW recent:
> UPDATE seconds: 1800 hit_count: 75 name: postfix2 side: source mask: 255.2
> 55.255.255 reject-with icmp-port-unreachable
>      9   448 REJECT     tcp  --  eth0   *      !192.168.196/24
> 0.0.0.0/0            multiport dports 25,465,587 ctstate NEW recent:
> UPDATE seconds: 300 hit_count: 40 name: postfix1 side: source mask: 255.25
> 5.255.255 reject-with icmp-port-unreachable
>      0     0 DROP       udp  --  eth0   *      !192.168.196/24
> 0.0.0.0/0            ctstate NEW recent: UPDATE seconds: 2 hit_count: 75
> name: udpflood side: source mask: 255.255.255.255
>      0     0 DROP       tcp  --  eth0   *      !192.168.196/24
> 0.0.0.0/0            ctstate NEW recent: UPDATE seconds: 2 hit_count: 75
> name: DEFAULT side: source mask: 255.255.255.255
>      0     0 DROP       tcp  --  eth0   *      !192.168.196/24
> 0.0.0.0/0            multiport dports 25,80,443,465,587 tcp
> flags:0x17/0x02 #conn src/32 > 75
>      0     0 DROP       tcp  --  eth0   *      !192.168.196/24
> 0.0.0.0/0            multiport dports 25,80,443,465,587 tcp
> flags:0x17/0x02 #conn src/24 > 150
>      0     0 DROP       tcp  --  eth0   *      !192.168.196/24
> 0.0.0.0/0            multiport dports 25,80,443,465,587 tcp
> flags:0x17/0x02 #conn src/16 > 175
>      0     0 DROP       tcp  --  eth0   *      !192.168.196/24
> 0.0.0.0/0            multiport dports 25,80,443,465,587 tcp
> flags:0x17/0x02 #conn src/8 > 200
>
>> On 10/21/2014 5:02 PM, Reindl Harald wrote:
>>>
>>>
>>> Am 21.10.2014 um 23:28 schrieb Cliff Hayes:
>>>> Does dovecot have any dictionary attack defenses yet?
>>>> In the past I have had to implement defense from outside dovecot, but
>>>> since dovecot is at the front lines and therefore is the first to know
>>>> I'm hoping by now there is something we can set.  For example, a limit
>>>> on access failures per minut/hour/day or some such.  If not why not?
>>>
>>> no - but you can set "auth_failure_delay = 5" and limit new connections
>>> per IP to something around 40 per 5 minutes and 100 per 30 minutes which
>>> stops many of them or at least limit the amount of tries dramatically
>


More information about the dovecot mailing list