On Thu, Apr 20, 2023 at 9:08 AM Doug Hardie bc979@lafn.org wrote:
Are there any plans to interface to blacklistd?
-- Doug
Hi Doug,
Since blacklistd uses PF, you can already use fail2ban or sshguard https://www.sshguard.net/ to achieve the same thing you are after. Given that blacklistd is just an intermediary like fail2ban, is there a real need for dovecot interfacing with it?
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]
Are there any plans to interface to blacklistd?
-- Doug
Hi Doug,
Since blacklistd uses PF, you can already use fail2ban or sshguard https://www.sshguard.net/ to achieve the same thing you are after. Given that blacklistd is just an intermediary like fail2ban, is there a real need for dovecot interfacing with it?
Maybe because fail2ban and logs are on a remote server?
On 20/04/2023 12:17 EEST Marc marc@f1-outsourcing.eu wrote:
Are there any plans to interface to blacklistd?
-- Doug
Hi Doug,
Since blacklistd uses PF, you can already use fail2ban or sshguard https://www.sshguard.net/ to achieve the same thing you are after. Given that blacklistd is just an intermediary like fail2ban, is there a real need for dovecot interfacing with it?
Maybe because fail2ban and logs are on a remote server?
Hi!
My suggestions:
1: Write simple (e.g.) Flask/Twisted based adapter for Auth Policy (not really very difficult) 2: Use passdb lua to interface with blacklistd. 3: Convince blacklistd authors to support weakforced protocol.
And no, we do not have currently plans to add support for blacklistd. Sorry.
Aki
Odhiambo Washington skrev den 2023-04-20 11:04:
Since blacklistd uses PF, you can already use fail2ban or sshguard [1] to achieve the same thing you are after. Given that blacklistd is just an intermediary like fail2ban, is there a real need for dovecot interfacing with it?
fail2ban cant see dovecot internal fails of auth, this is why weakforced is buildt, in gentoo i use it now, i have not regreted doing this ebuild request to keep it going
On Apr 20, 2023, at 02:04, Odhiambo Washington odhiambo@gmail.com wrote:
On Thu, Apr 20, 2023 at 9:08 AM Doug Hardie
mailto:bc979@lafn.org> wrote: Are there any plans to interface to blacklistd?
-- Doug
Hi Doug,
Since blacklistd uses PF, you can already use fail2ban or sshguard https://www.sshguard.net/ to achieve the same thing you are after. Given that blacklistd is just an intermediary like fail2ban, is there a real need for dovecot interfacing with it?
Fail2ban and sshguard are log scanners. They are a very inelegant approach that requires a lot of horsepower to scan logs that are not designed for scanning, but for human reading. Log formats tend to change with time thus necessitating updates to the scanners. Blacklistd places a very short set of code to send a small packet to a socket when the decision is made to deny access. There is no real delay in the actual blocking. Scanning large logs in a high traffic environment is expensive. For a product that is intended for high volume environments I find it interesting that a log scanning solution would be appropriate.
-- Doug
Since blacklistd uses PF, you can already use fail2ban or sshguard https://www.sshguard.net/ to achieve the same thing you are after. Given that blacklistd is just an intermediary like fail2ban, is there a real need for dovecot interfacing with it?
Fail2ban and sshguard are log scanners. They are a very inelegant approach that requires a lot of horsepower to scan logs that are not designed for scanning, but for human reading. Log formats tend to change with time thus necessitating updates to the scanners. Blacklistd places a very short set of code to send a small packet to a socket when the decision is made to deny access. There is no real delay in the actual blocking. Scanning large logs in a high traffic environment is expensive. For a product that is intended for high volume environments I find it interesting that a log scanning solution would be appropriate.
And how does blacklistd get fed?
Marc Marc@f1-outsourcing.eu wrote:
Blacklistd places a very short set of code to send a small packet to a socket when the decision is made to deny access.
And how does blacklistd get fed?
Actually, one needs to add a small amount of code to dovecot which writes to a socket. This code needs to be invoked whenever someone tries to "break in" or "abuse" your dovecot server. Thus, the application informs the blacklistd daemon about abuse and who did so. Blacklistd listens to that socket [1].
The running blacklistd then decides what to do with these attempts and uses firewall functionality to block future attempts if wanted.
[1] https://github.com/paul-chambers/blacklistd
The sources of bind, ftp, sshd, and postfix have already been modified accordingly.
Regards, Michael
On 22/04/2023 18:21 EEST Michael Grimm via dovecot dovecot@dovecot.org wrote:
Marc Marc@f1-outsourcing.eu wrote:
Blacklistd places a very short set of code to send a small packet to a socket when the decision is made to deny access.
And how does blacklistd get fed?
Actually, one needs to add a small amount of code to dovecot which writes to a socket. This code needs to be invoked whenever someone tries to "break in" or "abuse" your dovecot server. Thus, the application informs the blacklistd daemon about abuse and who did so. Blacklistd listens to that socket [1].
The running blacklistd then decides what to do with these attempts and uses firewall functionality to block future attempts if wanted.
[1] https://github.com/paul-chambers/blacklistd
The sources of bind, ftp, sshd, and postfix have already been modified accordingly.
Regards, Michael
So, why not use auth policy for this? It can send information about potential login attempts to a remote server. And if the data format is not exactly correct for blacklistd, I'm sure an adapter can be added in the middle or into blacklistd.
Aki
Doug Hardie skrev den 2023-04-20 08:07:
Are there any plans to interface to blacklistd?
link ?
imho only weakforced is currently supported, more info for your needs would help find more info
https://github.com/PowerDNS/weakforced
https://github.com/paul-chambers/blacklistd
or other ?
participants (6)
-
Aki Tuomi
-
Benny Pedersen
-
Doug Hardie
-
Marc
-
Michael Grimm
-
Odhiambo Washington