[Dovecot] limiting number of login attempts from same ip
Hello,
is it possible to limit the number of pop3 (or imap) login attempts
from one IP with dovecot to stop attackers? We recently had an attack
from one IP-address lasting 50 minutes that tried 50000 pop3-logins
with guessed users and passwords. I know about Fail2Ban but really
would prefer an easy to configure solution inside of dovecot. Dovecot
has this anvil daemon, can it be used for that purpose?
We use dovcot version 2.0.12 under Solaris 10, the pop3-login part of
the configuration looking like that:
service pop3-login { chroot = login client_limit = 0 drop_priv_before_exec = no executable = pop3-login extra_groups = group = idle_kill = 0 inet_listener pop3 { address = port = 110 ssl = no } inet_listener pop3s { address = port = 995 ssl = yes } privileged_group = process_limit = 0 process_min_avail = 0 protocol = pop3 service_count = 1 type = login user = $default_login_user vsz_limit = 64 M }
Thanks, Jürgen
-- Hochschulrechenzentrum der | Mail: Juergen.Obermann@hrz.uni-giessen.de Justus-Liebig-Universitaet | WWW: http://www.uni-giessen.de/obermann/ Heinrich-Buff-Ring 44 | Tel: 0641-99-13054 (0641-99-13001) D-35392 Giessen, Germany | Fax: 0641-99-13009
Am 10.06.2011 11:22, schrieb Jürgen Obermann:
Hello,
is it possible to limit the number of pop3 (or imap) login attempts from one IP with dovecot to stop attackers? We recently had an attack from one IP-address lasting 50 minutes that tried 50000 pop3-logins with guessed users and passwords. I know about Fail2Ban but really would prefer an easy to configure solution inside of dovecot. Dovecot has this anvil daemon, can it be used for that purpose?
We use dovcot version 2.0.12 under Solaris 10, the pop3-login part of the configuration looking like that:
service pop3-login { chroot = login client_limit = 0 drop_priv_before_exec = no executable = pop3-login extra_groups = group = idle_kill = 0 inet_listener pop3 { address = port = 110 ssl = no } inet_listener pop3s { address = port = 995 ssl = yes } privileged_group = process_limit = 0 process_min_avail = 0 protocol = pop3 service_count = 1 type = login user = $default_login_user vsz_limit = 64 M }
Thanks, Jürgen
look http://wiki2.dovecot.org/HowTo/Fail2Ban
-- Best Regards
MfG Robert Schetterer
Germany/Munich/Bavaria
Friday, June 10, 2011, 4:22:26 AM, Jürgen wrote:
Hello,
is it possible to limit the number of pop3 (or imap) login attempts
from one IP with dovecot to stop attackers? We recently had an attack from one IP-address lasting 50 minutes that tried 50000 pop3-logins
with guessed users and passwords. I know about Fail2Ban but really
would prefer an easy to configure solution inside of dovecot. Dovecot has this anvil daemon, can it be used for that purpose?
We use dovcot version 2.0.12 under Solaris 10, the pop3-login part of the configuration looking like that:
service pop3-login { chroot = login client_limit = 0 drop_priv_before_exec = no executable = pop3-login extra_groups = group = idle_kill = 0 inet_listener pop3 { address = port = 110 ssl = no } inet_listener pop3s { address = port = 995 ssl = yes } privileged_group = process_limit = 0 process_min_avail = 0 protocol = pop3 service_count = 1 type = login user = $default_login_user vsz_limit = 64 M }
You can thwart (to some degree) failed login attempts by increasing auth_failure_delay. I currently have the parameter set at 5 seconds. Its default is 2 seconds.
I also have set auth_verbose = yes and auth_verbose_passwords = sha1 and have a cron job set up to search the logs for the day before using:
bzegrep -i 'password.mismatch' /var/log/maillog.0.bz2I get an email message showing the failed login attempts from the previous day.
Someone else suggested using fail2ban which is good. I have sshguard set up myself.
-- Best regards, Duane mailto:duane@duanemail.org
On 2011-06-10 6:06 AM, Duane Hill wrote:
Someone else suggested using fail2ban which is good. I have sshguard set up myself.
He already said he didn't want to use Fail2ban - not sure why though, since it protects many other services at the same time, does exactly what he wants to do, and is quite easy to setup...
Jurgen - I personally would suggest you reconsider using Fail2ban...
It really is easy to setup, and like I said, you can protect all your other services with it too (ssh, ftp, etc)...
--
Best regards,
Charles
Friday, June 10, 2011, 6:01:22 AM, Charles wrote:
On 2011-06-10 6:06 AM, Duane Hill wrote:
Someone else suggested using fail2ban which is good. I have sshguard set up myself.
He already said he didn't want to use Fail2ban - not sure why though, since it protects many other services at the same time, does exactly what he wants to do, and is quite easy to setup...
Jurgen - I personally would suggest you reconsider using Fail2ban...
It really is easy to setup, and like I said, you can protect all your other services with it too (ssh, ftp, etc)...
I did realize the not wanting usage of fail2ban and had suggested the increase in time for failed login attempts. We had an email account compromised within the past several weeks and the increase of the specific parameter has thwarted the failed login attempts. If I read the documentation correctly, the time is incremental (i.e. 2, 4, 8, 16, 32...). Whereby setting to 5 seconds would be 5, 10, 20, 40, 80... I did read somewhere there is a hard coded limit where the parameter would top out at.
-- Best regards, Duane mailto:duane@duanemail.org
On Fri, 2011-06-10 at 11:22 +0200, Jürgen Obermann wrote:
Hello,
is it possible to limit the number of pop3 (or imap) login attempts
from one IP with dovecot to stop attackers? We recently had an attack
from one IP-address lasting 50 minutes that tried 50000 pop3-logins
with guessed users and passwords. I know about Fail2Ban but really
would prefer an easy to configure solution inside of dovecot. Dovecot
has this anvil daemon, can it be used for that purpose?We use dovcot version 2.0.12 under Solaris 10, the pop3-login part of
the configuration looking like that:
With v2.0 it was already limiting. It increased each login failure delay to 15 seconds before the failure was reported. Although maybe something wasn't working correctly, because 50k hits is more than I think should have been possible. Assuming you have default_process_limit=100 (default), there should have been a maximum of 20k attempts (100 processes / 15 seconds * 60*50 seconds).
Hmm. Maybe instead of simply increasing the failure delay, the IP could be disconnected immediately?
On Mon, 13 Jun 2011, Timo Sirainen wrote:
With v2.0 it was already limiting. It increased each login failure delay to 15 seconds before the failure was reported. Although maybe something wasn't working correctly, because 50k hits is more than I think should have been possible. Assuming you have default_process_limit=100 (default), there should have been a maximum of 20k attempts (100 processes / 15 seconds * 60*50 seconds).
I've also seen the reported type of dictionary attacks. Login failure delay doesn't really help much for those... they just open numerous new connections and only try 1 username/password on each connection. On one server, that got me loads of messages like these in my logs:
Feb 13 00:40:46 poseidon kernel: TCP: drop open request from 64.73.242.138/1536
and
Feb 13 00:44:07 poseidon kernel: NET: 220 messages suppressed.
After being firewalled, it kept hammering on the pop3 port for 90 more seconds, after which it probably found another door to hammer.
Although I wouldn't really mind if dovecot can be setup to handle this "gracefully" but I'd say this is a more generic problem that is better solved at network level than within dovecot. (So it can be used for other services as well.)
-- Maarten
On Fri, 2011-06-10 at 11:22 +0200, Jürgen Obermann wrote:
Hello,
is it possible to limit the number of pop3 (or imap) login attempts from one IP with dovecot to stop attackers? We recently had an attack from one IP-address lasting 50 minutes that tried 50000 pop3-logins with guessed users and passwords. I know about Fail2Ban but really would prefer an easy to configure solution inside of dovecot. Dovecot has this anvil daemon, can it be used for that purpose?
We use dovcot version 2.0.12 under Solaris 10, the pop3-login part of the configuration looking like that:
With v2.0 it was already limiting. It increased each login failure delay to 15 seconds before the failure was reported. Although maybe something wasn't working correctly, because 50k hits is more than I think should have been possible. Assuming you have default_process_limit=100 (default), there should have been a maximum of 20k attempts (100 processes / 15 seconds * 60*50 seconds).
Hmm. Maybe instead of simply increasing the failure delay, the IP could be disconnected immediately?
We had set default_process_limit=2000. I think this was necessary
during testing the high-security mode and I forgot to set it back to
100 again after switching back to high-perfomance mode
(http://wiki2.dovecot.org/LoginProcess). But even 20k attempts in 50
minutes (or 6 per second) would habe been to much for one real person.
The attack would have taken about 2 hours instead of nearly one.
I admit that fail2ban can stop this attack, but we have solaris and
not linux and therefore the actions fail3ban wants to start are not
available.
Greetings, Juergen
Hochschulrechenzentrum der | Mail: Juergen.Obermann@hrz.uni-giessen.de Justus-Liebig-Universitaet | WWW: http://www.uni-giessen.de/obermann/ Heinrich-Buff-Ring 44 | Tel: 0641-99-13054 (0641-99-13001) D-35392 Giessen, Germany | Fax: 0641-99-13009
On 13/06/11 23:49, Jürgen Obermann wrote:
I admit that fail2ban can stop this attack, but we have solaris and not linux and therefore the actions fail3ban wants to start are not available.
If fail2ban itself can run on your box, then that's the way to go.
All actions in fail2ban are simple scripts that use other tools on the OS (f.i. iptables on linux). I'm not into solaris at all, but if solaris has a scriptable firewall (I bet it does), then the fail2ban list can help you use it.
-- Regards, Tom
On 14/6/2011 1:12 πμ, Tom Hendrikx wrote:
On 13/06/11 23:49, Jürgen Obermann wrote:
I admit that fail2ban can stop this attack, but we have solaris and not linux and therefore the actions fail3ban wants to start are not available.
If fail2ban itself can run on your box, then that's the way to go.
I would like to add that, although fail2ban is great and we are using it for a long time, it doesn't support IPv6; now that our servers (we are using CentOS 5.6 x86_64) and networks are IPv6 enabled, this is a problem (but hopefully IPv6-based attacks should not be very common yet). We have not implemented a solution for protecting pop3/imap over IPv6 yet, but I have recently found this article: http://www.roedie.nl/tag/fail2ban/ which suggests autofwd: http://freshmeat.net/projects/autofwd which might provide a good solution. It seems versatile and supports IPv6.
If anybody has done or can do an implementation on Linux (using iptables AND ip6tables) for pop3/imap, pop3s/imaps and share it, it will be most welcome and very useful.
This is a Linux tool, so I can't suggest anything for Solaris or other systems. Nevertheless, finding a solution for Linux is still significant!
Nick
On 14/06/2011 08:25, Nikolaos Milas wrote:
I would like to add that, although fail2ban is great and we are using it for a long time, it doesn't support IPv6; now that our servers (we are using CentOS 5.6 x86_64) and networks are IPv6 enabled, this is a problem (but hopefully IPv6-based attacks should not be very common yet). We have not implemented a solution for protecting pop3/imap over IPv6 yet, but I have recently found this article: http://www.roedie.nl/tag/fail2ban/ which suggests autofwd: http://freshmeat.net/projects/autofwd which might provide a good solution. It seems versatile and supports IPv6.
If anybody has done or can do an implementation on Linux (using iptables AND ip6tables) for pop3/imap, pop3s/imaps and share it, it will be most welcome and very useful.
I don't see why fail2ban would have anything to do with ipv6 since it simply runs a script when something needs doing? Just adapt your script? Not having tried it, but possibly the regexps need tweaking also?
On a related note, recent kernels (and old kernels can build a module) implement "ipset". This is a way to implement a named hash of IPs/Ports/MACs, etc. The point is to use a single iptables rule to do something with your ipset, then you have the ability to dynamically alter the ipset as you will without needing to reload iptables rules
(I believe that iptables is still unable to be altered dynamically? Each time you *think* you are inserting a rule, actually you are dropping the entire ruleset, then reinserting the entire new ruleset with one extra rule. This creates a window of opportunity each time you innocently insert a new rule. Further it explains the O(n^2) speed of running "iptables -A" or similar)
For these reasons ipset seems like a great addition!
Ed W
On 16/6/2011 12:34 πμ, Ed W wrote:
I don't see why fail2ban would have anything to do with ipv6 since it simply runs a script when something needs doing? Just adapt your script? Not having tried it, but possibly the regexps need tweaking also?
Thanks Ed. You could be right. It could work, *if* fail2ban engine does not do any particular internal processing with IP addresses in order to implement the rules logic (which I doubt; for example, when it adds iptables rules, it refers to ip address as <ip> - see below). In the official fail2ban site: http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#IPv6, we don't see any solution related to IPv6.
If it's feasible, I wonder why we can't find anything about that in the Internet or in fail2ban site. No one has done it yet? On the contrary, we can find ample "complaints" that fail2ban won't work with IPv6. Nowhere can we find ipv6 "filters" and "actions" for fail2ban. If someone (has time and) is sufficiently competent with iptables/ip6tables, then he could try to prepare such actions (and create filters with regex expressions to catch ipv6 events from logs too) and then give it a try.
For example, one could then add in jail.conf (after creating dovecot-pop3imap-ipv6.conf and ip6tables-multiport.conf): [dovecot-pop3imap-ipv6] enabled = true filter = dovecot-pop3imap-ipv6 action = ip6tables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] logpath = /var/log/dovecot.log maxretry = 10 findtime = 600 bantime = 1800
My guess is that fail2ban engine must be extended to "understand" ipv6 addresses and handle ip6tables appropriately.
On a related note, recent kernels (and old kernels can build a module) implement "ipset". This is a way to implement a named hash of IPs/Ports/MACs, etc. The point is to use a single iptables rule to do something with your ipset, then you have the ability to dynamically alter the ipset as you will without needing to reload iptables rules
It sounds interesting. I'll take a look on it, when I have time. Still, one would have to update fail2ban (and/or other software) to use ipset instead of standard iptables (which will take at least some effort).
(I believe that iptables is still unable to be altered dynamically? Each time you *think* you are inserting a rule, actually you are dropping the entire ruleset, then reinserting the entire new ruleset with one extra rule. This creates a window of opportunity each time you innocently insert a new rule. Further it explains the O(n^2) speed of running "iptables -A" or similar)
Actually, iptables can be altered dynamically; For example, the iptables-multiport action does: actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
"iptables -A" runs only when fail2ban starts.
Nick
On 16/06/11 12:12, Nikolaos Milas wrote:
On 16/6/2011 12:34 πμ, Ed W wrote:
I don't see why fail2ban would have anything to do with ipv6 since it simply runs a script when something needs doing? Just adapt your script? Not having tried it, but possibly the regexps need tweaking also?
Thanks Ed. You could be right. It could work, *if* fail2ban engine does not do any particular internal processing with IP addresses in order to implement the rules logic (which I doubt; for example, when it adds iptables rules, it refers to ip address as <ip> - see below). In the official fail2ban site: http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#IPv6, we don't see any solution related to IPv6.
If it's feasible, I wonder why we can't find anything about that in the Internet or in fail2ban site. No one has done it yet? On the contrary, we can find ample "complaints" that fail2ban won't work with IPv6.
There has been some discussion on the fail2ban mailing list about ipv6 support implementations lately. Please see http://sourceforge.net/mailarchive/forum.php?forum_name=fail2ban-users (thank you SF for the awesome UI).
Nowhere can we find ipv6 "filters" and "actions" for fail2ban.
As long as fail2ban has no support for catching ipv6 ip addresses, there is no use for a filter that can handle these. Adaptation of the iptables actions to ip6tables would be trivial, though.
If someone (has time and) is sufficiently competent with iptables/ip6tables, then he could try to prepare such actions (and create filters with regex expressions to catch ipv6 events from logs too) and then give it a try.
Again, most of the pros, cons and implementation issues came along on the mailing list. I suggest that you take your fail2ban issue there, since this is no dovecot issue :)
-- Regards,
TomHi
If it's feasible, I wonder why we can't find anything about that in the Internet or in fail2ban site. No one has done it yet? On the contrary, we can find ample "complaints" that fail2ban won't work with IPv6.
Hmm, well on cursory inspection I agree there are some hard coded assumptions. Doesn't look dramatically difficult to fix, but not something I was planning to look at myself.
See: /usr/share/fail2ban/server/filter.py for: IP_CRE = re.compile("^(?:\d{1,3}\.){3}\d{1,3}$")
Also note the functions in the same file to check for duplicate IPs and similar.
(I believe that iptables is still unable to be altered dynamically? Each time you *think* you are inserting a rule, actually you are dropping the entire ruleset, then reinserting the entire new ruleset with one extra rule. This creates a window of opportunity each time you innocently insert a new rule. Further it explains the O(n^2) speed of running "iptables -A" or similar)
Actually, iptables can be altered dynamically; For example, the iptables-multiport action does: actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
"iptables -A" runs only when fail2ban starts.
Please re-read my previous email:
My understanding is that "iptables -[IA]" works internally by first downloading and then clearing the entire old kernel rule list. Then some time later it inserts a new complete rule list including the new rule. It's not clear that this swap is atomic and hence there is a small window of opportunity when you have zero firewall rules in place...
If you find this scary then please do your own research and mitigate as you feel appropriate...
...So back to my suggestion of investigating using ipsets rather than changing any iptables rules... This makes rules properly dynamic and there is no reload involved
Kind regards
Ed W
On 06/13/2011 04:49 PM, Jürgen Obermann wrote:
I admit that fail2ban can stop this attack, but we have solaris and not linux and therefore the actions fail3ban wants to start are not available.
You may be interested in OSSEC for this. I added the Dovecot support and OSSEC supports Solaris, so I imagine this would work fine (although I don't use Solaris so I can't say for sure.) If the logs turn out to be slightly different I can update the decoder to accommodate.
participants (10)
-
Charles Marcus
-
Duane Hill
-
Ed W
-
Jürgen Obermann
-
Maarten Bezemer
-
Michael Starks
-
Nikolaos Milas
-
Robert Schetterer
-
Timo Sirainen
-
Tom Hendrikx