[Dovecot] Using checkpassword to block ips?
Hi new to the list, but we are a long time user of Dovecot via DirectAdmin control panel.
We, like everyone else, are seeing an increase in dictionary attacks of POP/IMAP. We want to block them.
I've searched the mailing list and found a few recommended fail2ban, which really won't work for our case. We need to do this over many machines and not one or two. We also like to gather info at the network wide level. Hackers know about attacking specific server/ips too often and we've seen much more distributed attacks that go under the radar of one server monitoring setup.
We've designed our own system and use a local RBL to distribute the blocked IPs. For ftp and ssh attacks it's worked very well. We would like to use the RBL to do the same with dovecot.
From my research it appears the best way to do this (and only currently) is with the checkpassword option. I haven't gotten it to work yet. We have:
passdb checkpassword {
args = /usr/local/bin/checkpassword
deny = yes
}
As the first auth.. This should reject the connection if the IP matches. checkpassword can see TCPREMOTEIP enviornmental variable.
In the checkpassword script we have:
#!/usr/bin/perl
sub read_uinfo { my($user,$passwd,$apop_ts); open X,"<&=3" or exit 111; $_ = <X>; # ugly; should use sysread instead ($user,$passwd,$apop_ts) = /^(.*)\0(.*)\0(.*)\0/; while (<X>) {}; close X; return ($user,$passwd,$apop_ts); }
($user,$passwd,$apop_ts)=$debug?(shift,shift,shift):read_uinfo;
$ipaddr=$ENV{TCPREMOTEIP}; $result=system("/usr/sbin/checkdnsbl $ipaddr"); if ( $result == 0) { @ENV{"SHELL","USER","HOME"} = ($shell,$user,$home); exit 0; } else { exit 1; }
My questions are as follows:
- Can the deny = yes be used with checkpassword?
- What am I doing wrong with the script? It should reject only the connections that are in the RBL. It blocks all
-L
-- Larry Ludwig Empowering Media 1-866-792-0489 x600 Managed and Unmanaged Xen VPSes http://www.hostcube.com/
On Sun, 2008-06-15 at 19:04 -0400, Larry Ludwig wrote:
if ( $result == 0) { @ENV{"SHELL","USER","HOME"} = ($shell,$user,$home); exit 0; } else { exit 1; }
If you want to allow the user, deny=yes passdb check must fail. So exit with 1 in that case.
With deny=yes Dovecot doesn't care about shell or home. USER is most likely also useless unless your check changes it.
If you want to block the user, the checkpassword must succeed. exit 0 doesn't mean success. You have to execute the checkpassword-reply binary as specified by http://wiki.dovecot.org/PasswordDatabase/CheckPassword
Timo Sirainen wrote:
On Sun, 2008-06-15 at 19:04 -0400, Larry Ludwig wrote:
if ( $result == 0) { @ENV{"SHELL","USER","HOME"} = ($shell,$user,$home); exit 0; } else { exit 1; }
If you want to allow the user, deny=yes passdb check must fail. So exit with 1 in that case.
With deny=yes Dovecot doesn't care about shell or home. USER is most likely also useless unless your check changes it.
If you want to block the user, the checkpassword must succeed. exit 0 doesn't mean success. You have to execute the checkpassword-reply binary as specified by http://wiki.dovecot.org/PasswordDatabase/CheckPassword
OK thanks.. I'll look into this.
-L
-- Larry Ludwig Empowering Media 1-866-792-0489 x600 Managed and Unmanaged Xen VPSes http://www.hostcube.com/
participants (2)
-
Larry Ludwig
-
Timo Sirainen