[Dovecot] Auto-blacklisting hosts after too many failed logins
Hi folks,
first of all thanks for Dovecot, I appreciate it a lot.
On one of our servers, we experience regular tries to brute force logins, probably based on harvested mail addresses. Now I wonder if dovecot has or could in future have some mechanism to blacklist remote IP addresses after a configurable number of failures to login to any account.
Blacklisted IPs could simply be disconnected without giving them a chance to do anything. After e.g. one day or one hour of no further connection, the blacklist entry could be dropped.
As a bonus, it would be great to have a way to close the POP3/IMAP firewall ports to these IPs to avoid dovecot seeing the connection at all. A kind of blacklist status file on disk would be enough, from which some cron job could fill a firewall chain.
If necessary, I would try to add this functionality myself.
Amon.
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
This really shouldn't be a dovecot function, since this isn't an application level attack. Check out ossec-hids. I use it exactly for this purpose for blocking brute force attacks on others protocols as well - ftp, ssh, smtp, etc...
Ken A. Pacific.Net
Amon Ott wrote:
Hi folks,
first of all thanks for Dovecot, I appreciate it a lot.
On one of our servers, we experience regular tries to brute force logins, probably based on harvested mail addresses. Now I wonder if dovecot has or could in future have some mechanism to blacklist remote IP addresses after a configurable number of failures to login to any account.
Blacklisted IPs could simply be disconnected without giving them a chance to do anything. After e.g. one day or one hour of no further connection, the blacklist entry could be dropped.
As a bonus, it would be great to have a way to close the POP3/IMAP firewall ports to these IPs to avoid dovecot seeing the connection at all. A kind of blacklist status file on disk would be enough, from which some cron job could fill a firewall chain.
If necessary, I would try to add this functionality myself.
Amon.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 28 Aug 2006, Ken A wrote:
This really shouldn't be a dovecot function, since this isn't an application
It could be a plugin. But I wouldn't include this functionality into the core.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux)
iQEVAwUBRPPjuy9SORjhbDpvAQKEMgf+KcJ09YOFfKrDfdtrJwIqYFdDBJ39JcS8 jMV6QrjvXdAElWWg5K7WShjBh8W2XLmA4f1wtebbY46oPE8jE8g+88pHMnbmTBOA lM3tAYVqfFiUZB/fmVEBHfG7fq5X4v8bs1GhH8TynOYAm9e1JJpshXkY/zVR72h3 sHnvhMgM3lHkW9AnOBDxNGVTs4mzSet0doeMFXxFMN4Lg4d/XtZPpIQ3nsQ78RpE 1Io4iqjE31+q8O9l/6vynHpN9BmJO9gml/xNQcrZRuMTteg+a4WhKtf/tQa9lYMP ZOkKXPOvYe+DX0EKFNLCA/FUbjevJNshLfUtofEQyxCGyWp7tUWAag== =Js1H -----END PGP SIGNATURE-----
On Fri, Aug 25, 2006 at 04:23:32PM +0200, Amon Ott wrote:
On one of our servers, we experience regular tries to brute force logins, probably based on harvested mail addresses. Now I wonder if dovecot has or could in future have some mechanism to blacklist remote IP addresses after a configurable number of failures to login to any account.
Countless perl scripts exist which parse sshd login logs for login attacks and insert dynamic firewall rules to temporarily blacklist them. Those could easily be adapted to pop3/imap login logs.
GeertGeert Hendrickx wrote:
On Fri, Aug 25, 2006 at 04:23:32PM +0200, Amon Ott wrote:
On one of our servers, we experience regular tries to brute force logins, probably based on harvested mail addresses. Now I wonder if dovecot has or could in future have some mechanism to blacklist remote IP addresses after a configurable number of failures to login to any account.
Countless perl scripts exist which parse sshd login logs for login attacks and insert dynamic firewall rules to temporarily blacklist them. Those could easily be adapted to pop3/imap login logs.
Geert
I use fail2ban.
It has settings for SSH, apache and vsftpd in the default config file but you can easily add your own [dovecot] section.
Enter the log to monitor, the failure regex to match on, and the action to take after a specified number of failures (defaults to blocking IP for 600 seconds) and you're away.
Alex
participants (5)
-
Ale Pimperton
-
Amon Ott
-
Geert Hendrickx
-
Ken A
-
Steffen Kaiser