[Dovecot] Brute Force Blocking?
Hi Everyone,
Before I begin, I'd just like to mention: I love dovecot. Thank you :)
Anyway, today I had 8000 login attempts to my dovecot server in an hour before blocking the IP with my firewall.
After googling, I didn't see very much discussion on the topic. There was some mention of blocksshd which was supposed to support dovecot in the next release (but doesn't appear to) and also fail2ban. While a script that parses logfiles will work, I'm not sure that this is the best way to go about handling repeated authentication failure.
Would it not be best built into dovecot? Are there any plans for this?
Best Regards, Ben Cadieux
On Thu, 20 Dec 2007, Ben Cadieux wrote:
Hi Everyone,
Before I begin, I'd just like to mention: I love dovecot. Thank you :)
Anyway, today I had 8000 login attempts to my dovecot server in an hour before blocking the IP with my firewall.
After googling, I didn't see very much discussion on the topic. There was some mention of blocksshd which was supposed to support dovecot in the next release (but doesn't appear to) and also fail2ban. While a script that parses logfiles will work, I'm not sure that this is the best way to go about handling repeated authentication failure.
Would it not be best built into dovecot? [...]
I'd vote "no", with the caveat that I don't use any of these tools.
Parsing logfiles might make it more brittle, but it also allows the tool to protect many services in a generic way. I don't want to have to protect against DOS or dictionary attacks for Apache, VSFTP, dovecot, sshd, PostgreSQL, and whatever else in different config files. It'd be best to handle that one layer up. Doing it outside of dovecot even allows correlations to be made (e.g. ban sooner if the same IP is trying to break both SSH and FTP). Don't know if the tools *do* this, but still.
That's my 2¢, Ben Haskell
On 2007 Dec 20 (Thu) at 15:51:02 -0500 (-0500), Benjamin R. Haskell wrote:
On Thu, 20 Dec 2007, Ben Cadieux wrote:
Hi Everyone,
Before I begin, I'd just like to mention: I love dovecot. Thank you :)
Anyway, today I had 8000 login attempts to my dovecot server in an hour before blocking the IP with my firewall.
After googling, I didn't see very much discussion on the topic. There was some mention of blocksshd which was supposed to support dovecot in the next release (but doesn't appear to) and also fail2ban. While a script that parses logfiles will work, I'm not sure that this is the best way to go about handling repeated authentication failure.
Would it not be best built into dovecot? [...]
I'd vote "no", with the caveat that I don't use any of these tools.
Parsing logfiles might make it more brittle, but it also allows the tool to protect many services in a generic way. I don't want to have to protect against DOS or dictionary attacks for Apache, VSFTP, dovecot, sshd, PostgreSQL, and whatever else in different config files. It'd be best to handle that one layer up. Doing it outside of dovecot even allows correlations to be made (e.g. ban sooner if the same IP is trying to break both SSH and FTP). Don't know if the tools *do* this, but still.
That's my 2??, Ben Haskell
Except for the part where they stay connected forever, and keep retrying logins. One tcp connection, so nothing for the network level to look for.
-- The United States is like the guy at the party who gives cocaine to everybody and still nobody likes him. -- Jim Samuels
On Thu, 20 Dec 2007, Peter Hessler wrote:
On 2007 Dec 20 (Thu) at 15:51:02 -0500 (-0500), Benjamin R. Haskell wrote:
On Thu, 20 Dec 2007, Ben Cadieux wrote:
Hi Everyone,
Before I begin, I'd just like to mention: I love dovecot. Thank you :)
Anyway, today I had 8000 login attempts to my dovecot server in an hour before blocking the IP with my firewall.
After googling, I didn't see very much discussion on the topic. There was some mention of blocksshd which was supposed to support dovecot in the next release (but doesn't appear to) and also fail2ban. While a script that parses logfiles will work, I'm not sure that this is the best way to go about handling repeated authentication failure.
Would it not be best built into dovecot? [...]
I'd vote "no", with the caveat that I don't use any of these tools.
Parsing logfiles might make it more brittle, but it also allows the tool to protect many services in a generic way. I don't want to have to protect against DOS or dictionary attacks for Apache, VSFTP, dovecot, sshd, PostgreSQL, and whatever else in different config files. It'd be best to handle that one layer up. Doing it outside of dovecot even allows correlations to be made (e.g. ban sooner if the same IP is trying to break both SSH and FTP). Don't know if the tools *do* this, but still.
That's my 2??, Ben Haskell
Except for the part where they stay connected forever, and keep retrying logins. One tcp connection, so nothing for the network level to look for.
I thought you had me, there. But, it's not at the "network" level, per se, "one level up" conceptually, not necessarily up in the standard 7 layers.
The tools parse logfiles. dovecot and (I think) the others I mentioned log an auth error after each failed attempt.
Best, Ben
Hi Everyone,
Before I begin, I'd just like to mention: I love dovecot. Thank you :)
Anyway, today I had 8000 login attempts to my dovecot server in an hour before blocking the IP with my firewall.
After googling, I didn't see very much discussion on the topic. There was some mention of blocksshd which was supposed to support dovecot in the next release (but doesn't appear to) and also fail2ban. While a script that parses logfiles will work, I'm not sure that this is the best way to go about handling repeated authentication failure.
Would it not be best built into dovecot? Are there any plans for this?
I agree, it would be great to have this built into dovecot. Spammers are getting more creative all the time and are not above using brute force to steal passwords to send spam.
Matt
On 12/20/2007, Matt (lm7812@gmail.com) wrote:
I agree, it would be great to have this built into dovecot. Spammers are getting more creative all the time and are not above using brute force to steal passwords to send spam.
But something like fail2ban will work system wide...
--
Best regards,
Charles
On Thu, 2007-12-20 at 12:28 -0800, Ben Cadieux wrote:
Would it not be best built into dovecot? Are there any plans for this?
It would be nice if it could be done with Dovecot, but I think it'll have to wait to v2.0. There this could be done with for example a dovecot-auth proxy. The proxy could be done with v1.x too, but it probably gets a bit tricky to get the UNIX sockets created into right places, most likely requiring adding ugly hacks to sources..
Anyway, today I had 8000 login attempts to my dovecot server in an hour before blocking the IP with my firewall.
After googling, I didn't see very much discussion on the topic. There was some mention of blocksshd which was supposed to support dovecot in the next release (but doesn't appear to) and also fail2ban. While a script that parses logfiles will work, I'm not sure that this is the best way to go about handling repeated authentication failure.
Cursory scan in the FreeBSD ports tree:
bruteblock for ipfw bruteforceblocker for pf
mostly aimed at ssh or ftp brute force blocking ...
-bryan bradsby
DIR Capnet Texas State Government Net NOC: 512-475-2432 877-472-4848
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Bryan Bradsby wrote:
Anyway, today I had 8000 login attempts to my dovecot server in an hour before blocking the IP with my firewall.
After googling, I didn't see very much discussion on the topic. There was some mention of blocksshd which was supposed to support dovecot in the next release (but doesn't appear to) and also fail2ban. While a script that parses logfiles will work, I'm not sure that this is the best way to go about handling repeated authentication failure.
I wrote blocksshd and had intended to extend it to do Dovecot but decided it was the wrong approach. I think the log parsing approach works for quite well for SSH/FTP and similar simple applications. But for other applications with more complex logic and potentially a wider variety of threats then this function is probably better performed by the application itself.
Hence I'd suggest that a 'limits' plug-in or some form of configurable authentication governor in dovecot would be a better approach to counter these sorts of attacks.
Regards
James Turnbull
P.S. Even for SSH/FTP sometimes a simple iptables tweak can also solve a lot of your problems - depends on how granular you want your approach to be.
James Turnbull (james@lovedthanlost.net)
Author of:
- Pulling Strings with Puppet (http://www.amazon.com/gp/product/1590599780/)
- Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/)
- Hardening Linux (http://www.amazon.com/gp/product/1590594444/) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHb0Yb9hTGvAxC30ARAnKSAJ0eLtmVAWsiNOrkvWhna6j05ClUKwCggXS0 y1vm7q6g5m4ep3YeYsdxcJ4= =M++J -----END PGP SIGNATURE-----
participants (8)
-
Ben Cadieux
-
Benjamin R. Haskell
-
Bryan Bradsby
-
Charles Marcus
-
James Turnbull
-
Matt
-
Peter Hessler
-
Timo Sirainen