On Wed, 23 Mar 2022, mj wrote:
We are currently observing a high number of failed authentications for a specific user, coming from *many* diffirent IPs across the globe, with most IPs only trying once or twice, making this difficult to block. The number of failed authentications cause this account to regularly become blocked in AD.
We would like to know if they are trying older actual passwords from the user, or if it's just dictionary attack.
Rather than messing around with dovecot configuration, I think you can process trace (strace?) the auth process and intercept read/write buffers to a few key low numbered sockets and extract username/plaintext passwords from them, filtering out those you don't need.
Sort of hacky, buy avoid messing about with dovecot, or even restarting it.
You can possibly extend this by taking the auth information, and triggering a block if you recongize it as a dictionary attack, but it may be too late as your AD will see it by that point.
Joseph Tam jtam.home@gmail.com