Recommendations on intrusion prevention/detection?
Dear all,
what are the key strategies for intrusion prevention and detection with dovecot, apart from installing fail2ban? It is a pity that the IMAP protocol does not support 2 factor authentication, which seems to stop 90% of intrusion attempts in their tracks. Without it, if someone has obtained your password and reads your mail without modifying it, you will hardly ever notice.
Is there a reasonable way of detecting and preventing logins from unusual IP ranges? Or are there other strategies you would recommend?
Cheers,
Johannes
On 22/04/2020 15:29 Johannes Rohr johannes@rohr.org wrote:
Dear all,
what are the key strategies for intrusion prevention and detection with dovecot, apart from installing fail2ban? It is a pity that the IMAP protocol does not support 2 factor authentication, which seems to stop 90% of intrusion attempts in their tracks. Without it, if someone has obtained your password and reads your mail without modifying it, you will hardly ever notice.
Is there a reasonable way of detecting and preventing logins from unusual IP ranges? Or are there other strategies you would recommend?
Cheers,
Johannes
One suggestion is to use dovecot's auth policy feature, which works with e.g. weakforced to apply such restrictions.
Aki
My email server is set up for port 587. I block all email ports other than port 25 from countries that I will not be sending or receiving email. This is really only practical on a personal server. I also have a blocking file of data center IPs. Port 25 is still open to the world but that has to be the case.
Firewalls are a bit ram intensive but not CPU intensive.
I am not saying this is perfect. Rather I have reduced the number of jerks that can access my email. Prior to running my own email server, I used a hosted service. I got hacked from an exploit in roundcube from Morocco. I don't use webmail and while I'm sure Morocco is a fine country, I don't need email access from there. This is why I now run my own email.
Original Message
From: johannes@rohr.org Sent: April 22, 2020 5:30 AM To: dovecot@dovecot.org Subject: Recommendations on intrusion prevention/detection?
Dear all,
what are the key strategies for intrusion prevention and detection with dovecot, apart from installing fail2ban? It is a pity that the IMAP protocol does not support 2 factor authentication, which seems to stop 90% of intrusion attempts in their tracks. Without it, if someone has obtained your password and reads your mail without modifying it, you will hardly ever notice.
Is there a reasonable way of detecting and preventing logins from unusual IP ranges? Or are there other strategies you would recommend?
Cheers,
Johannes
On 2020-04-22 5:29 a.m., Johannes Rohr wrote:
Dear all,
what are the key strategies for intrusion prevention and detection with dovecot, apart from installing fail2ban? It is a pity that the IMAP protocol does not support 2 factor authentication, which seems to stop 90% of intrusion attempts in their tracks. Without it, if someone has obtained your password and reads your mail without modifying it, you will hardly ever notice.
Is there a reasonable way of detecting and preventing logins from unusual IP ranges? Or are there other strategies you would recommend?
Cheers,
Johannes
For the record, there is a patch pending which would allow dovecot to support CLIENTID two factor authentication.
https://github.com/dovecot/core/pull/86 (Please add your comments that you want to see this committed)
Also, a very powerful tool is to implement country authentication restrictions on a per user basis.
As well, make sure that you deprecate old fashioned POP/IMAP sending unencrypted login information.
The three most common attack vectors, (and attack volumes have never been higher) are:
- Sniffed unencrypted credentials (Assume every home wifi router and CPE equipment are compromised ;)
- Re-used passwords where data is exposed from another site's breach (Users WANT to re-use passwords, this is where 2FA shines)
- Weak Passwords (Users like using weak passwords, so implement password restrictions)
Hackers are still brute forcing in incredible numbers, using the loosest
1012 passwords.. (or smaller subset of about 64 patterns) if you have a
user with a
000000 111111 123123 123456 12345678 222222 333333 444444 555555 666666 696969 777777 888888 999999 abc123456 admin asdfgh asshole batman cheese fuckme fuckyou iloveu iloveyou letmein love master password princess P@ssw0rd qwerty secret sunshine superman trustno1
And of course, implement STRICT outbound rate limiters on all users.
-- "Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
On 22. Apr 2020, at 19.14, Michael Peddemors michael@linuxmagic.com wrote: The three most common attack vectors, (and attack volumes have never been higher) are:
- Sniffed unencrypted credentials (Assume every home wifi router and CPE equipment are compromised ;)
- Re-used passwords where data is exposed from another site's breach (Users WANT to re-use passwords, this is where 2FA shines)
- Weak Passwords (Users like using weak passwords, so implement password restrictions)
Actually by far the biggest source of stolen credentials is viruses/trojans harvesting them.
Sami
On 2020-04-22 18:45, Sami Ketola wrote:
Actually by far the biggest source of stolen credentials is viruses/trojans harvesting them.
i tryed blacklist all ips that got passwords errors, but that ends in big shorewall blrules so i turn it over to just add whitelist into blrules where ips is known custommers that dont abuse server, that way my shorewall got alot smaller config files to read and no kids from outside can abuse logins that way, now i have maked php script that monitors where abusers is from without give them access to abused ports
and i have seen the trojans or malware reveal strong passwords loose aswell, the battle is only as strong as users using email programs
so for now i see no fails on logins anymore from the only whitelisted asn range of trusted custommers ips
i just hope there would be free simple policy server for doevecot not only for dovecot oy
we are in same boat all, dont let it sink
On 2020-04-22 18:58, Aki Tuomi wrote:
You mean https://github.com/PowerDNS/weakforced ?
yes need in detail wiki how to make that run with dovecot, i will make a gentoo ebuild if needed to get that out of powerdns, hope to see it in dovecot contrib so i can add it to gentoo portage maintiners
On Wed, 22 Apr 2020, Johannes Rohr wrote:
It is a pity that the IMAP protocol does not support 2 factor authentication, which seems to stop 90% of intrusion attempts in their tracks.
You could use VPN, which can enforce 2FA.
You can hack 2FA into IMAP or any protocol where you can control the backend authenticator. It's easier with time-based OTP (TOTP) token generators. Authenticate using the usual username and the concatenation of (user-password)(otp-token), then invalidate the opt-token to foil replay-attacks.
The backend will have to split the credentials into individual factors that can be checked separately.
Is there a reasonable way of detecting and preventing logins from unusual IP ranges? Or are there other strategies you would recommend?
Start by defining "unusual". Once you have a characterization of unusual, implement the detection. For example,
- more than <n> failures?
- attempt to authenticate to non-existent generic accounts e.g. "root"?
- weird time of day?
- authentication from implausible geographic regions? (e.g. Chad)?
- logins from mutiple geolocation in short time frames?As the saying goes regarding the value of prevention vs cure, enforce good security habits for your users: password strength, endpoint malware protection, skepticism, etc.
Joseph Tam jtam.home@gmail.com
I have PFSense too and it rocks!
On Apr 22, 2020, at 14:52, byalefp@yahoo.com.br wrote:
Usually I use pfsense as main firewall with snort blocking all kind of scans and others.
Fail2ban triggering after 3 unsuccessful tries and for last iptables if Linux or ipfw If Freebsd
Keep pfsense synced with intrusion lists is an must have.
And for last, bans are not temporary on my setup, are forever, except if an real user after validate his info / data calls to unblock him.
There's some guides around about deal with post screen, but never get that working... RBL and spamhaus lists on mail server and on DNS are another must have.
Good luck
Atenciosamente,
Alexandre Fernandes Pedrosa
Visite: https://alexandrepedrosa.com
PGP Key: https://alexandrepedrosa.com/keys/0xE830E3336A873BE6.asc
Fingerprint: 4D63 0DEC FDA4 A8D3 DF75 94DB E830 E333 6A87 3BE6
Esta mensagem incluindo seus anexos tem caráter confidencial e seu conteúdo restrito ao destinatário da mensagem. Se você recebeu esta mensagem por engano, queira por favor retornar o e-mail e apagá-la de seus arquivos.
Qualquer uso não autorizado ou disseminação desta mensagem ou parte dela é expressamente proibido.
Note: "The contents of this e-mail are confidential and may be privileged.
This e-mail is intended for the exclusive use of the addressee(s) state under.
If you are not the intended addressee, please contact us immediately and delete this message from your computer, you should not copy this e-mail or disclose its contents to any other person."
Em 22 de abr de 2020 09:29, Johannes Rohr johannes@rohr.org escreveu: Dear all,
what are the key strategies for intrusion prevention and detection with dovecot, apart from installing fail2ban? It is a pity that the IMAP protocol does not support 2 factor authentication, which seems to stop 90% of intrusion attempts in their tracks. Without it, if someone has obtained your password and reads your mail without modifying it, you will hardly ever notice.
Is there a reasonable way of detecting and preventing logins from unusual IP ranges? Or are there other strategies you would recommend?
Cheers,
Johannes
On 2020-04-22 2:52 p.m., byalefp@yahoo.com.br wrote:
Usually I use pfsense as main firewall with snort blocking all kind of scans and others.
Fail2ban triggering after 3 unsuccessful tries and for last iptables if Linux or ipfw If Freebsd
Keep pfsense synced with intrusion lists is an must have.
And for last, bans are not temporary on my setup, are forever, except if an real user after validate his info / data calls to unblock him.
There's some guides around about deal with post screen, but never get that working... RBL and spamhaus lists on mail server and on DNS are another must have.
Good luck
Atenciosamente,
Just one comment.. permanent iptables bans on SSL/TLS authentication ports is no longer a viable option, eg.. you would not want to block the airports's IP, just because one person had an infection on his laptop..
Carrier Grade NAT, WIFI hotspots etc all would be affected.
Long term, move towards 2FA, short term block specific user auth/IP combinations, but that won't happen in iptables.. Our case it is proprietary methods, but using a memcache entry is a highly scalable way to record suspicious login attempts with enough information so that you only block the attacker, and not the IP for varying lengths of time.
Or as mentioned, temp blocking with fail2ban is an option that is workable and easy for most people.
-- "Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
On 22/04/2020 20.29, Johannes Rohr wrote:
Is there a reasonable way of detecting and preventing logins from unusual IP ranges? Or are there other strategies you would recommend?
I'd generally set up a short ban on logins originally, and then a second, longer ban for 'repeat offenders'. You basically look through the fail2ban log, and if an IP has been banned, say, 5 times in 24 hours, then you ban it for a much longer time.
Here's one example. There are others. https://github.com/mitchellkrogza/Fail2Ban-Blacklist-JAIL-for-Repeat-Offende...
P.
participants (10)
-
Aki Tuomi
-
Benny Pedersen
-
byalefp@yahoo.com.br
-
Johannes Rohr
-
Joseph Tam
-
lists
-
Michael Peddemors
-
Plutocrat
-
Remo Mattei
-
Sami Ketola