[Dovecot] Applying a DNS RBL to deny authentication?
Hope to get some attention about this idea to reduce hacking passwords.
Here is a list of about 700,000 IP addresses that are hacking passwords through SMTP AUTH
http://ipadmin.junkemailfilter.com/auth-hack.txt
This is a list of IP addresses that attempted to authenticate against my fake AUTH advertizing on servers with no authentication. We do front end spam filtering for thousands of domains and I decided to advertize authentication where there is none and I accept and blackhole all authenticated email to those servers. I have harvested the IP addresses in this list that is available through an RBL.
It seems to me that a nice dovecot feature would be the ability to do a black list check against IP addresses connecting and deny access if listed.
Thoughts?
Am 04.02.2014 18:40, schrieb Marc Perkel:
Hope to get some attention about this idea to reduce hacking passwords.
Here is a list of about 700,000 IP addresses that are hacking passwords through SMTP AUTH
http://ipadmin.junkemailfilter.com/auth-hack.txt
This is a list of IP addresses that attempted to authenticate against my fake AUTH advertizing on servers with no authentication. We do front end spam filtering for thousands of domains and I decided to advertize authentication where there is none and I accept and blackhole all authenticated email to those servers. I have harvested the IP addresses in this list that is available through an RBL.
It seems to me that a nice dovecot feature would be the ability to do a black list check against IP addresses connecting and deny access if listed.
Thoughts?
a limit of failed auth-tries without a succesful one would be better and strip down logging after it is blocked instead having thousands of lines from fools trying a dictionary
- ip <xx.xx.xx.xx> blocked after XX auth tries within XX minutes
- blocking of ip <xx.xx.xx.xx> released (XX tries blockd)
something like that but with focus in failed logins
anvil_rate_time_unit = 1800s smtpd_client_connection_rate_limit = 50 smtpd_client_recipient_rate_limit = 400 smtpd_recipient_limit = 100
Am 04.02.2014 18:40, schrieb Marc Perkel:
Hope to get some attention about this idea to reduce hacking passwords.
Here is a list of about 700,000 IP addresses that are hacking passwords through SMTP AUTH
http://ipadmin.junkemailfilter.com/auth-hack.txt
This is a list of IP addresses that attempted to authenticate against my fake AUTH advertizing on servers with no authentication. We do front end spam filtering for thousands of domains and I decided to advertize authentication where there is none and I accept and blackhole all authenticated email to those servers. I have harvested the IP addresses in this list that is available through an RBL.
It seems to me that a nice dovecot feature would be the ability to do a black list check against IP addresses connecting and deny access if listed.
http://wiki2.dovecot.org/Authentication/RestrictAccess
but you could add them in a firewall too
Thoughts?
i think you know the problems of rbls very well, in case of imap/pop a false postive may high support extremly, also think of nat users
i prefer more dynamic and flexibel solutions, like fail2ban etc
so your honeypot ips are fine , but shouldnt be widly used/match for everybody needs
perhaps it might be better ,use them in a more "score" or monitoring / alarming system combined with other data
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On 04 Feb 2014, at 10:40 , Marc Perkel <marc@perkel.com> wrote:
It seems to me that a nice dovecot feature would be the ability to do a black list check against IP addresses connecting and deny access if listed.
Thoughts?
Use the right tool. Fail2ban (or denyssh) do this sort of limiting quite well. One of them even has a feature that allows you to sync bad IPs with other people (denyssh, I think).
Also, postfix will check an RBL, so if you simply put in your check in master.cf for your submission port, there’s no reason for dovecot to try to redo something others already do.
Something like this in postfix
submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o reject_rbl_client = myrbl.local -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_path=private/auth -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_data_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject -o syslog_name=submit-tls
YMMV
-- I have seen the truth and it makes no sense.
participants (4)
-
LuKreme
-
Marc Perkel
-
Reindl Harald
-
Robert Schetterer