[Dovecot] Feature request: usernames and passwords
A relatively recent development that spammers got wind of is users that have username==password, with/without the domain. I am tracking numerous 1-off attempts from bots to gain access to mailboxes this way. Situation isn't made any better if you're also using dovecot as SMTP AUTH provider for I am ashamed to admit I've relayed some spam that way. Would it be possible to deny login if username==password with a (non?)polite/custom message to go change your password to something less obvious ?
Timo Sirainen wrote:
On 21.7.2010, at 12.29, Thanos Chatziathanassiou wrote:
Would it be possible to deny login if username==password with a (non?)polite/custom message to go change your password to something less obvious ?
What passdb do you use?
passwd-file with md5-crypt though I could easily swap it for an SQL variant. I think I'll be fairly shielded from this kind of things in the future, just brought it up because all of us here manage people's mails one way or another.
On Wed, 2010-07-21 at 14:57 +0300, Thanos Chatziathanassiou wrote:
Timo Sirainen wrote:
On 21.7.2010, at 12.29, Thanos Chatziathanassiou wrote:
Would it be possible to deny login if username==password with a (non?)polite/custom message to go change your password to something less obvious ?
What passdb do you use?
passwd-file with md5-crypt though I could easily swap it for an SQL variant.
With SQL this should be pretty easy to do. If password matches username ('%w' = '%u') have it return 'y' as nologin and 'bad password' as reason.
I think I'll be fairly shielded from this kind of things in the future, just brought it up because all of us here manage people's mails one way or another.
I think this is one of the tons of different possible password policies and isn't really Dovecot's job. It really should be enforced while setting the password, not while checking it.
Timo Sirainen wrote:
On Wed, 2010-07-21 at 14:57 +0300, Thanos Chatziathanassiou wrote:
Timo Sirainen wrote:
On 21.7.2010, at 12.29, Thanos Chatziathanassiou wrote:
Would it be possible to deny login if username==password with a (non?)polite/custom message to go change your password to something less obvious ?
What passdb do you use?
passwd-file with md5-crypt though I could easily swap it for an SQL variant.
With SQL this should be pretty easy to do. If password matches username ('%w' = '%u') have it return 'y' as nologin and 'bad password' as reason.
Correct. Should be fairly easy to do - just need a compatible crypt() function in SQL. Never thought of that.
I think I'll be fairly shielded from this kind of things in the future, just brought it up because all of us here manage people's mails one way or another.
I think this is one of the tons of different possible password policies and isn't really Dovecot's job. It really should be enforced while setting the password, not while checking it.
Indeed, though it seems that someone went out of their way to have their password changed to this and I was worried that a similar loop-hole exists that I'm not aware of. Anyway thanks for the tip.
On 07/21/2010 02:35 PM Thanos Chatziathanassiou wrote:
Correct. Should be fairly easy to do - just need a compatible crypt() function in SQL. Never thought of that.
MySQL's encrypt() is your friend: select encrypt('foo', 'ab'); select encrypt('foo', '$1$01234567'); select encrypt('foo', '$5$rounds=1000$0123456789abcdef'); select encrypt('foo', '$6$rounds=1000$0123456789abcdef');
Regards, Pascal
The trapper recommends today: http://kopfkrebs.de/mitarbeiter/mitarbeiter_der_woche.html
Em 21/07/2010 09:18, Timo Sirainen escreveu:
I think this is one of the tons of different possible password policies and isn't really Dovecot's job. It really should be enforced while setting the password, not while checking it.
i completly agree that dovecot is not the place for enforcing password policies nor checking them.
but, still on the subject, maybe dovecot could have some features for helping sysadmins to avoid/mitigate brute-force attacks. As told, some bots tries username=password, but those fuckers (the bots) also tries lots of common passwords, 123, 1234, the username followed by some numbers, and lots of others.
of course, if the provided password is not correct, dovecot denies access as it should .... but in those situations, logs can get pretty filled with login failed messages, specially on servers with lots of accounts. And, in some cases, after lots of tries, the bot can found the correct username/password combination.
i was thinking on something like ...after N tries (lets say 10 for example) of wrong username/password combinations, dovecot could start delaying the answers for wrong authentications coming from that specific IP address or IP/username, thus slowing down the brute-force attacks; 1.1) or even, after some M (lets say 20 for example) wrong username/password combinations, dovecot could ban that IP address (or IP address/username combination to avoid problem with big networks with NAT access) for XX seconds/minutes, also slowing down the brute-force attack tries 1.2) this could probably be implemented using some in-memory internal backend, so it would be absolutely independent on passdb schema and would require no modifications on passdb schema.
the original message says about bot brute-force attacks, but we can be facing REAL brute-force attacks against a specific account .... and i think that some features to help mitigate those could indeed be interesting. And if those features exists, they could surely help on those brute-force attacks coming from dumb bots as well.
it wont solve the username=password specific case, but could help on real or bot brute-force attacks.
what do you think on that Timo ?
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email itOp 21 jul 2010, om 15:06 heeft Leonardo Rodrigues het volgende geschreven:
Em 21/07/2010 09:18, Timo Sirainen escreveu:
I think this is one of the tons of different possible password policies and isn't really Dovecot's job. It really should be enforced while setting the password, not while checking it.
i completly agree that dovecot is not the place for enforcing password policies nor checking them.
but, still on the subject, maybe dovecot could have some features for helping sysadmins to avoid/mitigate brute-force attacks. As told, some bots tries username=password, but those fuckers (the bots) also tries lots of common passwords, 123, 1234, the username followed by some numbers, and lots of others.
of course, if the provided password is not correct, dovecot denies access as it should .... but in those situations, logs can get pretty filled with login failed messages, specially on servers with lots of accounts. And, in some cases, after lots of tries, the bot can found the correct username/password combination.
i was thinking on something like ...
after N tries (lets say 10 for example) of wrong username/password combinations, dovecot could start delaying the answers for wrong authentications coming from that specific IP address or IP/username, thus slowing down the brute-force attacks; 1.1) or even, after some M (lets say 20 for example) wrong username/password combinations, dovecot could ban that IP address (or IP address/username combination to avoid problem with big networks with NAT access) for XX seconds/minutes, also slowing down the brute-force attack tries 1.2) this could probably be implemented using some in-memory internal backend, so it would be absolutely independent on passdb schema and would require no modifications on passdb schema.
the original message says about bot brute-force attacks, but we can be facing REAL brute-force attacks against a specific account .... and i think that some features to help mitigate those could indeed be interesting. And if those features exists, they could surely help on those brute-force attacks coming from dumb bots as well.
it wont solve the username=password specific case, but could help on real or bot brute-force attacks.
what do you think on that Timo ?
Have a look at fail2ban, this is exactly what you need.
--
Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email gertrudes@solutti.com.br My SPAMTRAP, do not email it
YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
Em 21/07/2010 10:08, Martijn de Munnik escreveu:
the original message says about bot brute-force attacks, but we can be facing REAL brute-force attacks against a specific account .... and i think that some features to help mitigate those could indeed be interesting. And if those features exists, they could surely help on those brute-force attacks coming from dumb bots as well.
it wont solve the username=password specific case, but could help on real or bot brute-force attacks.
what do you think on that Timo ?
Have a look at fail2ban, this is exactly what you need.
no, fail2ban is not exactly what i need. fail2ban is FAR from acchieving what i wrote ...
yes, fail2ban can ban an IP after wrong trials ..... but simply banning the IP (and maybe not the IP/username combination) can be a problem for companies that have lots of computers and access through NAT, ie, a single internet IP address. fail2ban also cannot slow down replies for wrong username/password combinations.
fail2ban is a nice add-on for any system, but having something done by the daemon and not by some third-party log analyzer can make things MUCH smarter and MUCH more flexible.
thanks for your tip, i already use fail2ban ... but that's far from acchieving some more flexible rules that can be done when the daemon has some anti-brute-force features.
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email itOn Qua, 21 Jul 2010, Leonardo Rodrigues wrote:
i completly agree that dovecot is not the place for enforcingpassword policies nor checking them.
but, still on the subject, maybe dovecot could have somefeatures for helping sysadmins to avoid/mitigate brute-force
attacks. As told, some bots tries username=password, but those
fuckers (the bots) also tries lots of common passwords, 123, 1234,
the username followed by some numbers, and lots of others.of course, if the provided password is not correct, dovecotdenies access as it should .... but in those situations, logs can
get pretty filled with login failed messages, specially on servers
with lots of accounts. And, in some cases, after lots of tries, the
bot can found the correct username/password combination.[snip]
I think none of this is dovecot's function. Let's keep the UNIX
filosophy: one tool does one function, and does that function well.
Dovecot is an execellent mail server. It should not be turned into a
monster Windows-like application that does dozens of
not-really-quite-related things.
What you want can be done with other tools.
-- Eduardo M KALINOWSKI eduardo@kalinowski.com.br
Em 21/07/2010 10:30, Eduardo M KALINOWSKI escreveu:
I think none of this is dovecot's function. Let's keep the UNIX filosophy: one tool does one function, and does that function well. Dovecot is an execellent mail server. It should not be turned into a monster Windows-like application that does dozens of not-really-quite-related things.
the idea of 'one tool does one function (OTDOF) ' is indeed interesting, but can be interpreted by several ways.
for instance, dovecot does NOT 'one function only'. It does a REAL LOT of functions. It's a pop3 server as well as imap4 one, with or without SSL for both protocols. It can read mailboxes, maildirs and some others i've never used myself. It can even deliver messages to mailboxes/maildirs, having the password backend in several different ways (passwd file, MySQL, LDAP, etc etc). It can check and enforce quotas. It's not a completly mail server, as you regarded, because it cannot do the SMTP part, which is pretty important for a mail server to fully operate. Even tough, it does a LOT of things.
i completly agree that dovecot should not try to have, for example, a builtin admin interface for managing users ... because managing users is completly dependable on the password backend used, and schemas can be VERY different from one user to another. It would be nonsense trying to have that, a builtin interface for managing user. That i agree would not fit the 'one tool does one function'. Managing user is not dovecot's problem as well as checking/enforcing password policies, as discussed before on this thread.
but, regarding what it already do, delivering messages by pop3/imap4 protocol for users, i really think adding security features wouldnt be bad idea. And indeed, as confirmed by Pascal, some of those are already built in dovecot 2.0 RCs.
the OTDOF is really hard to apply on some full-feature daemons we're used to have on unix world, for example: dovecot, postfix/qmail/exim, apache, clamav, etc etc etc. All of them (and lots of other daemons) does a LOT of things, all of them as a part of the main daemon goal. It's really hard to stay on the OTDOF on those full-featured daemons. It's easy to keep the OTDOF idea on basic and small command-line utilities, like cat cp rm .... but not on the full-featured modern daemons.
and, in the real world we live, having security features do not brake the 'one tool does one function' at all on my understandings of that. In fact, if those security features are there to help the security of the daemon main goal, whatever the main goal is, they're VERY welcome to me.
we dont need to carry this on anymore, as seems lots of good things are already on dovecot 2.0 RCs .... proving that dovecot authors do think that increasing security is in the main goal of dovecot development plans.
thanks for all who help dovecot being each day a better software, those who code things as well as those who test new features on the RCs, those who make new features requests, those who help others here on the mailing list .... thanks for all.
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email itOn 07/21/2010 03:06 PM Leonardo Rodrigues wrote:
i was thinking on something like ...
- after N tries (lets say 10 for example) of wrong username/password combinations, dovecot could start delaying the answers for wrong authentications coming from that specific IP address or IP/username, thus slowing down the brute-force attacks; 1.1) or even, after some M (lets say 20 for example) wrong username/password combinations, dovecot could ban that IP address (or IP address/username combination to avoid problem with big networks with NAT access) for XX seconds/minutes, also slowing down the brute-force attack tries 1.2) this could probably be implemented using some in-memory internal backend, so it would be absolutely independent on passdb schema and would require no modifications on passdb schema.
Install dovecot 2.0.rc3 and try to 'break in'. You will see how dovecot
slows down your 'attack'. When you test it with your botnet ( ;-) ), use
doveadm penalty to see current penalties.
Regards, Pascal
The trapper recommends today: deadbeef.1020215@localdomain.org
Em 21/07/2010 10:32, Pascal Volk escreveu:
Install dovecot 2.0.rc3 and try to 'break in'. You will see how dovecot slows down your 'attack'. When you test it with your botnet ( ;-) ), use
doveadm penaltyto see current penalties.
wooow nice to hear that .... i have not tried 2.0RC yet, but i'm glad on hearing that some 'penalty' policies were introduced !!!
thanks for your tip Pascal !!!--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email itPascal Volk wrote:
On 07/21/2010 03:06 PM Leonardo Rodrigues wrote:
i was thinking on something like ...
- after N tries (lets say 10 for example) of wrong username/password combinations, dovecot could start delaying the answers for wrong authentications coming from that specific IP address or IP/username, thus slowing down the brute-force attacks; 1.1) or even, after some M (lets say 20 for example) wrong username/password combinations, dovecot could ban that IP address (or IP address/username combination to avoid problem with big networks with NAT access) for XX seconds/minutes, also slowing down the brute-force attack tries 1.2) this could probably be implemented using some in-memory internal backend, so it would be absolutely independent on passdb schema and would require no modifications on passdb schema.
Install dovecot 2.0.rc3 and try to 'break in'. You will see how dovecot slows down your 'attack'. When you test it with your botnet ( ;-) ), use
doveadm penaltyto see current penalties.
I should note that the patterns of attack we are seeing are extremely sophisticated. They are going out of their way to be "stealth" with respect to detection strategies. We do still see the focused brute force attacks where one IP futilely hammers at root (never allowed anyway), and where an IP tries all the various default system and application accounts. However, it seems that attacks are now going to distributed against distributed. That is to say, a large botnet (I recently identified 1235 IPs in one day cooperating in an attack) has a large list of hosts it wants to hit, and they randomize the hits across botnet IPs, across hosts, and across accounts being hit, with time delays between hits for any one host. You see this by looking across multiple servers and seeing the same IP trying different accounts across different servers, or the same account being tried by different IPs across different servers, and the accounts incrementing alphabetically, even though the IP trying them is changing.
I have only been able to tag these manually in a text oriented editor with multiple grep patterns to remove legitimate entries before I compile the list of IPs to be blocked. Then those are run through another script that does NS lookups and checks against already blocked IPs. What is left, I scan with my own eyes and remove things that could possibly be our own users.
Not an easy thing to deal with.
The odds of their getting into any particular server are slim, but that's multiplied by the huge number of servers they are hitting.
After blocking those, I continue to see steady streams of access denied in my auth logs, even weeks later.
These attempts are typically preceded with similarly distributed port scans and will hit whatever ports and protocols are available. I see mostly ssh, but also a significant number of attacks on pop3.
--
Chris Hoogendyk
- O__ ---- Systems Administrator c/ /'_ --- Biology & Geology Departments (*) \(*) -- 140 Morrill Science Center
<hoogendyk@bio.umass.edu>
---------------
Erdös 4
Only a wild guess: Did you set: disable_plaintext_auth = no?
I've the default (disable_plaintext_auth = yes + ssl*) settings. _Sometimes_ I find log entries like: dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): rip=1.2.3.4, lip=5.6.7.8, mpid=0
Oh, and only pop3-login, no attacks against imap-login.
Regards, Pascal
The trapper recommends today: fabaceae.1020217@localdomain.org
Check out splunk (or similar) for multiple disparate event log correlations.
-----Original Message----- From: dovecot-bounces+jkrejci=usinternet.com@dovecot.org [mailto:dovecot-bounces+jkrejci=usinternet.com@dovecot.org] On Behalf Of Chris Hoogendyk Sent: Wednesday, July 21, 2010 10:19 AM To: Dovecot Mailing List Subject: Re: [Dovecot] Feature request: usernames and passwords
I should note that the patterns of attack we are seeing are extremely sophisticated. They are going out of their way to be "stealth" with respect to detection strategies. We do still see the focused brute force attacks where one IP futilely hammers at root (never allowed anyway), and where an IP tries all the various default system and application accounts. However, it seems that attacks are now going to distributed against distributed. That is to say, a large botnet (I recently identified 1235 IPs in one day cooperating in an attack) has a large list of hosts it wants to hit, and they randomize the hits across botnet IPs, across hosts, and across accounts being hit, with time delays between hits for any one host. You see this by looking across multiple servers and seeing the same IP trying different accounts across different servers, or the same account being tried by different IPs across different servers, and the accounts incrementing alphabetically, even though the IP trying them is changing.
I have only been able to tag these manually in a text oriented editor with multiple grep patterns to remove legitimate entries before I compile the list of IPs to be blocked. Then those are run through another script that does NS lookups and checks against already blocked IPs. What is left, I scan with my own eyes and remove things that could possibly be our own users.
Not an easy thing to deal with.
The odds of their getting into any particular server are slim, but that's multiplied by the huge number of servers they are hitting.
After blocking those, I continue to see steady streams of access denied in my auth logs, even weeks later.
These attempts are typically preceded with similarly distributed port scans and will hit whatever ports and protocols are available. I see mostly ssh, but also a significant number of attacks on pop3.
--
Chris Hoogendyk
- O__ ---- Systems Administrator c/ /'_ --- Biology & Geology Departments (*) \(*) -- 140 Morrill Science Center
<hoogendyk@bio.umass.edu>
---------------
Erdös 4
Justin Krejci wrote:
Check out splunk (or similar) for multiple disparate event log correlations.
I'm not really looking for solutions right now. I just wanted to comment on the "stealth" techniques in use by those running botnets.
When I do look for solutions, I prefer open source tools that are minimalist to the extent possible. Thus, I chose mon (http://mon.wiki.kernel.org/) for monitoring systems and services, and I would first consider SEC (http://simple-evcorr.sourceforge.net/) for correlating events in logs from multiple servers. That's just a personal preference, though.
Chris Hoogendyk
- O__ ---- Systems Administrator c/ /'_ --- Biology & Geology Departments (*) \(*) -- 140 Morrill Science Center
<hoogendyk@bio.umass.edu>
---------------
Erdös 4
Thanos Chatziathanassiou wrote:
A relatively recent development that spammers got wind of is users that have username==password, with/without the domain. I am tracking numerous 1-off attempts from bots to gain access to mailboxes this way. Situation isn't made any better if you're also using dovecot as SMTP AUTH provider for I am ashamed to admit I've relayed some spam that way. Would it be possible to deny login if username==password with a (non?)polite/custom message to go change your password to something less obvious ?
Dovecot isn't the place for this...
Use cracklib (on linuix - the equivalent for whatever OS you are using if not linux) with your passdb backend, and simply force users to use strong passwords, period.
In this day and age any sys admin who isn't doing this is just asking to be hacked.
On Wed, 21 Jul 2010 14:29:10 +0300 Thanos Chatziathanassiou tchatzi@arx.net articulated:
A relatively recent development that spammers got wind of is users that have username==password, with/without the domain. I am tracking numerous 1-off attempts from bots to gain access to mailboxes this way. Situation isn't made any better if you're also using dovecot as SMTP AUTH provider for I am ashamed to admit I've relayed some spam that way. Would it be possible to deny login if username==password with a (non?)polite/custom message to go change your password to something less obvious ?
Seriously, this reminds me of a saying by Ron White that I have always thought à propos: "You can't fix stupid." There is no way you can protect a user from their own stupidity. I don't care how many safeguards you put in place. Remember, "Nothing is foolproof to a sufficiently talented fool." Or, as I like to tell others, "Make it idiot proof and someone will make a better idiot." There are reportedly thousands of users who use, "Password" for their actual password.
This is not a Dovecot problem. Adding additional checks in Dovecot will only bloat the program and potentially cause other catastrophic problems.
-- Jerry ✌ Dovecot.user@seibercom.net
Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header.
"I kind of want to slay the dragon. Let's go to work."
Angel's final words.
participants (10)
-
Charles Marcus
-
Chris Hoogendyk
-
Eduardo M KALINOWSKI
-
Jerry
-
Justin Krejci
-
Leonardo Rodrigues
-
Martijn de Munnik
-
Pascal Volk
-
Thanos Chatziathanassiou
-
Timo Sirainen