Recommendations on intrusion prevention/detection?

Michael Peddemors michael at linuxmagic.com
Wed Apr 22 19:14:05 EEST 2020 

On 2020-04-22 5:29 a.m., Johannes Rohr wrote:
> Dear all,
> 
> what are the key strategies for intrusion prevention and detection with
> dovecot, apart from installing fail2ban?
> It is a pity that the IMAP protocol does not support 2 factor
> authentication, which seems to stop 90% of intrusion attempts in their
> tracks. Without it, if someone has obtained your password and reads your
> mail without modifying it, you will hardly ever notice.
> 
> Is there a reasonable way of detecting and preventing logins from
> unusual IP ranges? Or are there other strategies you would recommend?
> 
> Cheers,
> 
> Johannes
> 
> 

For the record, there is a patch pending which would allow dovecot to 
support CLIENTID two factor authentication.

https://github.com/dovecot/core/pull/86
(Please add your comments that you want to see this committed)

Also, a very powerful tool is to implement country authentication 
restrictions on a per user basis.

As well, make sure that you deprecate old fashioned POP/IMAP sending 
unencrypted login information.

The three most common attack vectors, (and attack volumes have never 
been higher) are:

* Sniffed unencrypted credentials
   (Assume every home wifi router and CPE equipment are compromised ;)
* Re-used passwords where data is exposed from another site's breach
   (Users WANT to re-use passwords, this is where 2FA shines)
* Weak Passwords
   (Users like using weak passwords, so implement password restrictions)

Hackers are still brute forcing in incredible numbers, using the loosest 
1012 passwords.. (or smaller subset of about 64 patterns) if you have a 
user with a <username|domain>NNNN password, a < 8 char numeric, or the 
one of the following, it is only a matter of time before it is compromised.

000000
111111
123123
123456
12345678
222222
333333
444444
555555
666666
696969
777777
888888
999999
abc123456
admin
asdfgh
asshole
batman
cheese
fuckme
fuckyou
iloveu
iloveyou
letmein
love
master
password
princess
P at ssw0rd
qwerty
secret
sunshine
superman
trustno1


And of course, implement STRICT outbound rate limiters on all users.


-- 
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

More information about the dovecot mailing list