Ed W wrote:
Lou Duchez wrote:
This arrangement is designed to trap POP3 and IMAP separately, and also to allow a high number of errors before temporarily "jailing" a user. This is to decrease the likelihood that a single user from a single IP will get all his coworkers (temporarily) banned over an honest mistake in configuration.
I have noticed recent breaking attempts which appear to be a slow coordinated botnet using multiple IPs and trying a combination of SMTP
- POP + IMAP (can't remember if it did both of the later or just POP?). As a result I tried to combine all three into a single test. Actually I did the wrong thing, but if you look through my previous posts you can see someone (Bill?) correct me and post the correct config for this
I would recommend you be aware of this - in my case I was seeing less than a few attempts from a given IP in a 10 min period, but lots of what appeared to be coordinated attempts at the server level. (eg some servers were only trying a few logins per day, but across enough IP addresses this was a fairly rapidly filling the logs)
Good luck
Ed W
Thanks for the heads-up! Okay then, perhaps the best solution is to make use of the "ignoreip" setting in jail.conf to protect known IP addresses, something like this:
[sasl-iptables] enabled = true backend = polling filter = sasl action = iptables[name=sasl, port=smtp, protocol=tcp] logpath = /var/log/maillog ignoreip = 192.168.1.0/24 123.456.543.210/28 321.654.123.456 maxretry = 2 findtime=1200 bantime = 1200
[dovecot-pop3] enabled = true filter = dovecot-pop3 action = iptables[name=POP3, port=pop3, protocol=tcp] logpath = /var/log/maillog ignoreip = 192.168.1.0/24 123.456.543.210/28 321.654.123.456 maxretry = 2 findtime=1200 bantime = 1200
[dovecot-imap] enabled = true filter = dovecot-imap action = iptables[name=IMAP, port=imap, protocol=tcp] logpath = /var/log/maillog ignoreip = 192.168.1.0/24 123.456.543.210/28 321.654.123.456 maxretry = 2 findtime=1200 bantime = 1200
Note that SMTP, POP3, and IMAP are all looking at the same log file, they all have the same ban parameters (more aggressive than previously proposed), and they all ignore the same IP ranges (in this case a local subnet, a range of public IPs, and one additional public IP). Then in keeping with this, all three filter files (sasl.conf, dovecot-pop3.conf, and dovecot-imap.conf) would have identical configurations:
[Definition]
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed (?: pop3-login: Authentication failure).*rip=(?P<host>\S*),.* (?: pop3-login: Aborted login \(auth failed).*rip=(?P<host>\S*),.* (?: pop3-login: Disconnected \(auth failed).*rip=(?P<host>\S*),.* (?: imap-login: Authentication failure).*rip=(?P<host>\S*),.* (?: imap-login: Aborted login \(auth failed).*rip=(?P<host>\S*),.* (?: imap-login: Disconnected \(auth failed).*rip=(?P<host>\S*),.*
ignoreregex =
So any failure at any of the three protocols (SMTP, POP3, IMAP) is considered a "strike" by all three, and they should all ban the same guys at the same time. This is as yet untested, but seems like it should be pretty sound.