Re: [Dovecot] dnsbl feature for dovecot
Professa Dementia writes:
Looking at my POP3/IMAP logs, users enter wrong passwords all the time, then their mail client keeps trying to re-authenticate, giving the appearance of a slow rolling BFD. For example, I just grabbed this typical sample
Jul 2 13:24:48 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user=<x> ...
Jul 2 13:26:03 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user=<x> ...
Jul 2 13:26:13 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 9 secs): user=<x> ...
Jul 2 13:26:37 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user=<x> ...
Jul 2 13:26:43 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user=<x> ...
Jul 2 13:27:08 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user=<x> ...
Jul 2 13:27:14 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user=<x> ...
Jul 2 13:27:30 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user=<x> ...
Jul 2 13:27:36 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user=<x> ...
Jul 2 13:27:51 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user=<x> ...
Brute force attempts are more intense, so I think these rules can be set harder to not risk plunking your users into blacklist hell. Also, some common role account (that don't exist on my system e.g. "admin") will trigger an immediate blacklist here -- an easy way to shortcut the process.
I feel your pain and frustration. I do not believe there is an RBL list of offending IP's for brute force attacks ...
Maybe
http://www.blocklist.de/en/index.html
I use it for ssh BFD blocking, and it detects 2/3 of the IPs trying to do attempts. On their web page, they also list FTP, Web, and Mail login brute forcers, although I'm not sure whether "Mail" logins means IMAP, POP, SMTP-AUTH, or all of them.
You can also integrate this with fail2ban so that not only can you use it to block, but can also contribute to the global detection of brute forcers.
Joseph Tam <jtam.home@gmail.com>
On 7/3/2013 2:30 PM, Joseph Tam wrote:
Certainly, set the rules to whatever works for your system. My example is just what I used and it worked well for me.
Your example is why I specified that an attempt to login as a blocked account does *not* extend the blocking time. Otherwise, you run the risk of a rolling block that goes on forever.
Why are users on your system entering bad passwords all the time? Every major mail client can save passwords in a reasonably secure format so the feeble minded human is free of that burden. Even with webmail, the browser generally can save passwords. In fact, I feel this is safer. It eliminates keystroke loggers from getting the password.
It also makes it easier to enforce strong passwords. If the user had to type in a 16 character strong password each time (such as HjY6##k,F8Dl9sy1), many of them would certainly complain loudly and often. However, if the user can enter that password once into their chosen software and not have to remember it again, you get good protection from brute force attacks and happy users. Typing a password once is much easier than even typing "cat" 50,000 times over the course of several years.
Dem
participants (2)
-
Joseph Tam
-
Professa Dementia