On 2020-04-22 5:29 a.m., Johannes Rohr wrote:
Dear all,
what are the key strategies for intrusion prevention and detection with dovecot, apart from installing fail2ban? It is a pity that the IMAP protocol does not support 2 factor authentication, which seems to stop 90% of intrusion attempts in their tracks. Without it, if someone has obtained your password and reads your mail without modifying it, you will hardly ever notice.
Is there a reasonable way of detecting and preventing logins from unusual IP ranges? Or are there other strategies you would recommend?
Cheers,
Johannes
For the record, there is a patch pending which would allow dovecot to support CLIENTID two factor authentication.
https://github.com/dovecot/core/pull/86 (Please add your comments that you want to see this committed)
Also, a very powerful tool is to implement country authentication restrictions on a per user basis.
As well, make sure that you deprecate old fashioned POP/IMAP sending unencrypted login information.
The three most common attack vectors, (and attack volumes have never been higher) are:
- Sniffed unencrypted credentials (Assume every home wifi router and CPE equipment are compromised ;)
- Re-used passwords where data is exposed from another site's breach (Users WANT to re-use passwords, this is where 2FA shines)
- Weak Passwords (Users like using weak passwords, so implement password restrictions)
Hackers are still brute forcing in incredible numbers, using the loosest
1012 passwords.. (or smaller subset of about 64 patterns) if you have a
user with a
000000 111111 123123 123456 12345678 222222 333333 444444 555555 666666 696969 777777 888888 999999 abc123456 admin asdfgh asshole batman cheese fuckme fuckyou iloveu iloveyou letmein love master password princess P@ssw0rd qwerty secret sunshine superman trustno1
And of course, implement STRICT outbound rate limiters on all users.
-- "Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.