Message: 1 Date: Sun, 15 Jun 2008 19:04:05 -0400 From: "Larry Ludwig" larrylud@gmail.com Subject: [Dovecot] Using checkpassword to block ips? To: dovecot@dovecot.org Message-ID: 000601c8cf3c$1cd11130$0605a8c0@tank Content-Type: text/plain; charset="us-ascii"
Hi new to the list, but we are a long time user of Dovecot via DirectAdmin control panel.
We, like everyone else, are seeing an increase in dictionary attacks of POP/IMAP. We want to block them.
I've searched the mailing list and found a few recommended fail2ban, which really won't work for our case. We need to do this over many machines and not one or two. We also like to gather info at the network wide level. Hackers know about attacking specific server/ips too often and we've seen much more distributed attacks that go under the radar of one server monitoring setup.
We've designed our own system and use a local RBL to distribute the blocked IPs. For ftp and ssh attacks it's worked very well. We would like to use the RBL to do the same with dovecot.
From my research it appears the best way to do this (and only currently) is with the checkpassword option. I haven't gotten it to work yet. We have:
passdb checkpassword { args = /usr/local/bin/checkpassword deny = yes }As the first auth.. This should reject the connection if the IP matches. checkpassword can see TCPREMOTEIP enviornmental variable.
In the checkpassword script we have:
#!/usr/bin/perl
sub read_uinfo { my($user,$passwd,$apop_ts); open X,"<&=3" or exit 111; $_ = <X>; # ugly; should use sysread instead ($user,$passwd,$apop_ts) = /^(.*)\0(.*)\0(.*)\0/; while (<X>) {}; close X; return ($user,$passwd,$apop_ts); }
($user,$passwd,$apop_ts)=$debug?(shift,shift,shift):read_uinfo;
$ipaddr=$ENV{TCPREMOTEIP}; $result=system("/usr/sbin/checkdnsbl $ipaddr"); if ( $result == 0) { @ENV{"SHELL","USER","HOME"} = ($shell,$user,$home); exit 0; } else { exit 1; }
My questions are as follows:
- Can the deny = yes be used with checkpassword?
- What am I doing wrong with the script? It should reject only the connections that are in the RBL. It blocks all
Bump..
No one can help with this setup or issue?
-L
Larry Ludwig Empowering Media 1-866-792-0489 x600 Managed and Unmanaged Xen VPSes http://www.hostcube.com/