On Fri, Aug 26, 2011 at 10:14 AM, Alexandre Chapellon wrote: fail2ban will work as soon as dovecot have closed a none-authenticated
connection: 3mins->180sec
If tarpit delay for auth failures in a connection is set to 15s (which
seems to be the default unless i missunderstood).... this let an attackers
only 12 tries (at most) before IP gets blacklisted by fail2ban... Far enough
to circumvent bruteforce and even dictionnary based attacks... unless the
attacker has a botnet and uses non agressives retry policy. But in the last
case, even if you blacklist IP at first failed tried, you're still vuln to
such attacks. regards. Le 26/08/2011 14:22, Felipe Scarel a écrit : Yeah, I had read about half of that thread, and after I sent my mail kept reading and stumbled upon this: "(...) using the recent module needs
dovecotto close the connection upon authentication failure, as iptables
only
(normally) comes in to play for new connections (...)". So, yeah, my suggestion probably won't work. On Fri, Aug 26, 2011 at 09:15, Felipe Scarelfbscarel@gmail.com wrote: Alex, I've not personally done it (so just speculating here, bear with me)
but you can customize Fail2Ban's actions if needed. So, if you can match
the
attemps through some regex (and since you're seeing them in the logs,
that
should be quite possible), then you can edit one of the 'actions' to drop
the connection for<ip>. I'm just not entirely sure that iptables (or pf, or whatever firewall
you've got) can do it to active connections, 'cause that problem hasn't
arised for me so far. On Fri, Aug 26, 2011 at 06:14, Alexalex@ahhyes.net wrote: I am happy to recompile if there is no config option. I gather it's in the
src/auth dir somewhere in one of the C source files. Just need to be
pointed
in the right dir. On Fri, 26 Aug 2011 19:07:08 +1000, Alex wrote: 3 minutes! I think that's too long, how can I drop that down to about 45 seconds? On Fri, 26 Aug 2011 11:44:45 +0300, Timo Sirainen wrote: On 26.8.2011, at 10.25, Alex wrote: Running Dovecot 2 on my server. It is regularly getting dictionary
auth > attacked. What I have noticed is that once connected to a pop3/imap
> login
> session, you can send endless incorrect usernames+passwords attempts.
> This
> is a problem for me... I use fail2ban to try and stop these script
> kiddies.
> The problem is that fail2ban detects the bad auths, firewalls the IP,
> however, since it's an "established" session, the attacker can keep
> authing
> away... It's only on a subsequent (new) connection that the
> firewalling will
> take effect.
>
> Umm. If client hasn't managed to log in in 3 minutes, it's
disconnected (no matter what it does with the connection). If you substitute (create a wrap to) the "imap-login" binary with an script?
The script can create a "fail attempt/ip" file into home dir and return ok
or not to dovecot main process based on this information.
This will solve you problem with established connections and will ban the
"badguy" in realtime. I know this is possible in 1.x version.
Timo, this is possible on 2.x version? Regards. --
Use cópia oculta (BCC ou CCO) e apague dados pessoais no campo da mensagem
ao encaminhar qualquer e-mail.