Message: 1
Date: Sun, 15 Jun 2008 19:04:05 -0400
From: "Larry Ludwig" <larrylud@gmail.com>
Subject: [Dovecot] Using checkpassword to block ips?
To: <dovecot@dovecot.org>
Message-ID: <000601c8cf3c$1cd11130$0605a8c0@tank>
Content-Type: text/plain; charset="us-ascii"
Hi new to the list, but we are a long time user of Dovecot
via DirectAdmin
control panel.
We, like everyone else, are seeing an increase in dictionary
attacks of
POP/IMAP. We want to block them.
I've searched the mailing list and found a few recommended
fail2ban, which
really won't work for our case. We need to do this over many
machines and
not one or two. We also like to gather info at the network
wide level.
Hackers know about attacking specific server/ips too often
and we've seen
much more distributed attacks that go under the radar of one server
monitoring setup.
We've designed our own system and use a local RBL to
distribute the blocked
IPs. For ftp and ssh attacks it's worked very well. We
would like to use
the RBL to do the same with dovecot.
From my research it appears the best way to do this (and
only currently) is
with the checkpassword option. I haven't gotten it to work
yet. We have:
passdb checkpassword {
args = /usr/local/bin/checkpassword
deny = yes
}
As the first auth.. This should reject the connection if the
IP matches.
checkpassword can see TCPREMOTEIP enviornmental variable.
In the checkpassword script we have:
#!/usr/bin/perl
sub read_uinfo {
my($user,$passwd,$apop_ts);
open X,"<&=3" or exit 111;
$_ = <X>;
ugly; should use sysread instead
($user,$passwd,$apop_ts) = /^(.*)\0(.*)\0(.*)\0/;
while (<X>) {};
close X;
return ($user,$passwd,$apop_ts);
}
($user,$passwd,$apop_ts)=$debug?(shift,shift,shift):read_uinfo;
$ipaddr=$ENV{TCPREMOTEIP};
$result=system("/usr/sbin/checkdnsbl $ipaddr");
if ( $result == 0) {
@ENV{"SHELL","USER","HOME"} = ($shell,$user,$home);
exit 0;
}
else {
exit 1;
}
My questions are as follows:
- Can the deny = yes be used with checkpassword?
- What am I doing wrong with the script? It should reject only the
connections that are in the RBL. It blocks all
Bump..
Larry Ludwig
Empowering Media
1-866-792-0489 x600
Managed and Unmanaged Xen VPSes
http://www.hostcube.com/