Force TCP socket disconnect on imap login failure?
Paul Kudla (SCOM.CA Internet Services Inc.)
paul at scom.ca
Mon May 23 21:11:13 UTC 2022
Ok would like to help and I DO understand the issue at hand.
It took me with custom programming 5 years of tinkering to get to what i
have today.
So a few questions / comments ??
Are you running an sql database or just user-db (local) to do the lookups ?
sql gives you some major flexability on how to track and ignore ip
blocks etc etc etc upon logins.
Issues to consider (I will explain the system i wrote for SCOM.CA as I
went though a lot to get here and you like most are probably
experiencing the same hack attempts.)
Note I am not trying to get off topic but you need to think about stuff
like this through a bit.
You also have to consider people trying to send through postfix as it is
the same issue in reverse.
Under SCOM I do the following (only meant to be a guideline):
1. i have a common syslogger running that ALL logging goes through.
2. I then have conditions against anything being logged that will
trigger an event.
3. The event triggered in your case would be seeing a line like
auth: sql(tmp at dereilanatureinn.ca,220.194.140.110,
<5H72HLPfTp/cwoxu>): unknown user
pop3-login: Disconnected: Connection closed (auth failed, 1 attempts
in 3 secs): user=<edriley at scom.ca>, method=PLAIN, rip=110.44.124.224,
lip=65.39.148.18
there are other conditions but you get the idea.
Ok from here it starts getting complicated.
The idea is to keep the rift raft out and allow good users in.
Easier said then done.
I track all bad logins from all bad ip addresses and then run a seperate
database table that tracks that.
the ip address that gets tracked lands in two places,
the firewall tables (which for me are global)
&
the user in my database.
if a user is unknown (example above) then at least the first condition
will catch a bad hack attempt based on ip. Most hack attempts by ip
address usually keep sending common login names (like admin, ftp,
ftpuser etc etc) hoping to match to a common account.
for the user (which is relative here) i let 30 attempts go by every 30
minutes and 500 per month, after which the user is blocked via auth in
sql and will have to call to get unlocked. Usually the ip address is
blacklisted before the username is so its not that much of a deal.
afterwhich it becomes part of the user query to lock out the userfrom
anywhere as they are obviously getting hacked.
when an ip is doing the hacking then i count using the same formula and
then blacklist it internal to all of my servers (thus a database makes
it earier to track)
I run freebsd and thus use pf firewall, iptables can do the same with
the same info you just need to build the tables and uodate them. (i
update mine every 10 minutes, i find pf does this quicker on large
lables (like 10,000 blocked) )
Now for the issue at hand that you are asking about:
I am sure that the c programming could be patched along the line to do
exactly what you are asking,
However Issues that pop up.
so you hang up on the connection, they will probably just login again
anyways which means without tracking the ip & username stats and
updating accordingly it will really not change anything at the end of
the day.
In my experience I see people / servers etc constantly hacking my side
and what i generally described above turned out to be the only real fix,
and not even really that guarenteed to work!
I do get ip's that get blacklisted by accident (i do the whole class 'c'
as the 'c' block is usually all the same guy) but i get a good one maybe
every few months, usually when i block it there are not many complaints
after that.
I know the above is complicated, fyi i track postfix's sasl auth's as
well but in that case to get a username & ip address on one syslog line
i had to patch the sasl auth c file to get a log entry that was useable.
Postfix simply will NOT provide the info on one line.
Between both of the conditions above the server's remain fairly useable
and secured.
the CSF firewall option below IS valid but i find you need to track IP
address & username or you end up blocking stuff you dont want to
also on another note IPV6 (at least in canada) is becoming a pain for isp's
many cable companies, dsl providers etc are assigning an ipv6 address
and then converting it to ipv4 on the way out the door from their
networks using double natting ?
Issue is you can have 10,000 people all sharing that same ip address and
if you block it then that will prevent other 'good' people from logging
in, again back to tracking the username in this case gives you an out if
the hacker is just using a list obtained elsewhere on the net.
Food for thought.
Happy Monday !!!
Thanks - paul
Paul Kudla
Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3
Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email paul at scom.ca
On 5/23/2022 3:26 PM, dovecot-bounces at dovecot.org wrote:
>
> On 2022-05-23 20:11, Lloyd Zusman wrote:
>> I'm running dovecot 2.2.13 under Debian 8.
>>
>> I'd like to force an immediate TCP socket disconnect after any imap
>> login attempt that fails.
>>
>> Right now, if invalid credentials are supplied during an imap login,
>> the client can keep retrying logins with different credentials.
>> However, I want to prevent that from occurring by causing the socket
>> connection to be closed as soon as there is any failed login attempt.
>>
>> I haven't been able to find any dovecot configuration setting which
>> could control this behavior, but I'm hoping that I just missed
>> something.
>>
>> Thank you very much for any suggestions.
>>
>> --
>> hippoman at gmail.com
>> Take a hippopotamus to lunch today.
>
> Hi there,
>
> Try CSF firewall. Make sure to enable Login Failure Detection and Max
> Retries Per X Minutes, and notice with such option set, it will
> permenantly block the IP addresses that exceeds maximum login failures
> in the specified interval.
>
> Anyhow, my personal recommendation in terms of security, its to use web
> mail and limit login attempts per minutes and for higher security, setup
> a VPN and disallow access to the web mail except through the VPN.
>
> Good luck.
>
> Zakaia.
>
More information about the dovecot
mailing list