[Dovecot] disconnect after too many errors?
There are a couple of jerks that are tying to dictionary attack my email server, and one of the vectors is pop3/imap logins. Something I would like to do in dovecot, but can't seem to find, is the ability to disconnect after a certain number of errors. The vast majority of my users (i.e. me) don't hand-type POP3 or IMAP transactions, but when we do, we know how to spell things properly.
Does dovecot have this? A simiple look shows no.
-- I wouldn't mind dying -- it's that business of having to stay dead that scares the shit out of me. -- R. Geis
On Sat, 8 Dec 2007, Peter Hessler wrote:
There are a couple of jerks that are tying to dictionary attack my email server, and one of the vectors is pop3/imap logins. Something I would like to do in dovecot, but can't seem to find, is the ability to disconnect after a certain number of errors. The vast majority of my users (i.e. me) don't hand-type POP3 or IMAP transactions, but when we do, we know how to spell things properly.
I would use fail2ban, which listens for log files and then adds firewall rules banning the idiots or alternately uses hosts.deny to ban the idiots. (I personally prefer the use of hosts.deny.)
-- Asheesh.
-- Do you know the difference between a yankee and a damyankee?
A yankee comes south to *visit*.
On 9.12.2007, at 0.16, Peter Hessler wrote:
There are a couple of jerks that are tying to dictionary attack my email server, and one of the vectors is pop3/imap logins. Something I would like to do in dovecot, but can't seem to find, is the ability to disconnect after a certain number of errors. The vast majority of my users (i.e. me) don't hand-type POP3 or IMAP transactions, but when we do, we know how to spell things properly.
Does dovecot have this? A simiple look shows no.
It's hardcoded to src/imap-login/client.c:
#define CLIENT_MAX_BAD_COMMANDS 10
On 2007 Dec 09 (Sun) at 00:20:11 +0200 (+0200), Timo Sirainen wrote:
On 9.12.2007, at 0.16, Peter Hessler wrote:
There are a couple of jerks that are tying to dictionary attack my email server, and one of the vectors is pop3/imap logins. Something I would like to do in dovecot, but can't seem to find, is the ability to disconnect after a certain number of errors. The vast majority of my users (i.e. me) don't hand-type POP3 or IMAP transactions, but when we do, we know how to spell things properly.
Does dovecot have this? A simiple look shows no.
It's hardcoded to src/imap-login/client.c:
#define CLIENT_MAX_BAD_COMMANDS 10
It looks like that doesn't apply to failed logins.
-- A witty saying proves nothing, but saying something pointless gets people's attention.
On 9.12.2007, at 0.23, Peter Hessler wrote:
On 2007 Dec 09 (Sun) at 00:20:11 +0200 (+0200), Timo Sirainen wrote:
On 9.12.2007, at 0.16, Peter Hessler wrote:
There are a couple of jerks that are tying to dictionary attack my email server, and one of the vectors is pop3/imap logins.
Something I would like to do in dovecot, but can't seem to find, is the
ability to disconnect after a certain number of errors. The vast majority
of my users (i.e. me) don't hand-type POP3 or IMAP transactions, but
when we do, we know how to spell things properly.Does dovecot have this? A simiple look shows no.
It's hardcoded to src/imap-login/client.c:
#define CLIENT_MAX_BAD_COMMANDS 10
It looks like that doesn't apply to failed logins.
It doesn't, and I don't think it should. A better idea would probably
be to double the delay for each failed login.
On Sat, 8 Dec 2007, Peter Hessler wrote:
There are a couple of jerks that are tying to dictionary attack my email server, and one of the vectors is pop3/imap logins. Something I would like to do in dovecot, but can't seem to find, is the ability to disconnect after a certain number of errors. The vast majority of my users (i.e. me) don't hand-type POP3 or IMAP transactions, but when we do, we know how to spell things properly.
Another suggestion via PAM:
"pam_shield blocks IPs" http://www.ka.sara.nl/home/walter/pam%5Fshield/README.txt describes http://www.ka.sara.nl/home/walter/pam%5Fshield/ .
I still think that fail2ban is a better approach.
-- Asheesh.
-- Sendmail may be safely run set-user-id to root. -- Eric Allman, "Sendmail Installation Guide"
On 2007-12-09 11:13:09 -0800, Asheesh Laroia wrote:
On Sat, 8 Dec 2007, Peter Hessler wrote:
There are a couple of jerks that are tying to dictionary attack my email server, and one of the vectors is pop3/imap logins. Something I would like to do in dovecot, but can't seem to find, is the ability to disconnect after a certain number of errors. The vast majority of my users (i.e. me) don't hand-type POP3 or IMAP transactions, but when we do, we know how to spell things properly.
Another suggestion via PAM:
"pam_shield blocks IPs" http://www.ka.sara.nl/home/walter/pam%5Fshield/README.txt describes http://www.ka.sara.nl/home/walter/pam%5Fshield/ .
I still think that fail2ban is a better approach.
or just iptables: iptables -A input_ext -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force attack " iptables -A input_ext -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP iptables -A input_ext -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
darix-- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org
participants (4)
-
Asheesh Laroia
-
Marcus Rueckert
-
Peter Hessler
-
Timo Sirainen