[Dovecot] dnsbl feature for dovecot
dnsbl's are a popular method to prevent listed ips from making connections to mta software.
cf. postscreen_dnsbl_sites in postfix
Would it be possible to introduce such a feature in dovecot, so that connections can be denied based on a dnsbl lookup (where the precise dnsbls used are configurable)?
John
On 3.7.2013, at 4.21, John Fawcett john.ml@erba.tv wrote:
dnsbl's are a popular method to prevent listed ips from making connections to mta software.
cf. postscreen_dnsbl_sites in postfix
Would it be possible to introduce such a feature in dovecot, so that connections can be denied based on a dnsbl lookup (where the precise dnsbls used are configurable)?
You're talking about IMAP/POP3 connections?
Possible, yeah .. possibly even without code changes by using tcpwrappers.
On 03/07/13 03:27, Timo Sirainen wrote:
On 3.7.2013, at 4.21, John Fawcett john.ml@erba.tv wrote:
dnsbl's are a popular method to prevent listed ips from making connections to mta software.
cf. postscreen_dnsbl_sites in postfix
Would it be possible to introduce such a feature in dovecot, so that connections can be denied based on a dnsbl lookup (where the precise dnsbls used are configurable)? You're talking about IMAP/POP3 connections?
Possible, yeah .. possibly even without code changes by using tcpwrappers.
TImo, thanks for the reply. I will look into that suggestion. John
John Fawcett skrev den 2013-07-03 09:40:
Possible, yeah .. possibly even without code changes by using tcpwrappers. TImo, thanks for the reply. I will look into that suggestion. John
if its implemented in dovecot possible use postfix memcached ?, so thay share cache data
-- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Timo Sirainen skrev den 2013-07-03 03:27:
You're talking about IMAP/POP3 connections? Possible, yeah .. possibly even without code changes by using tcpwrappers.
why is it needed ?
setup fail2ban to manange xtables-addons geoip csv files from abusers, then use this csv file as A0 list in iptables, end result is low memory footprint, it should not be a dovecot solotion
-- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
On 03/07/13 18:44, Benny Pedersen wrote:
Timo Sirainen skrev den 2013-07-03 03:27:
You're talking about IMAP/POP3 connections? Possible, yeah .. possibly even without code changes by using tcpwrappers.
why is it needed ?
setup fail2ban to manange xtables-addons geoip csv files from abusers, then use this csv file as A0 list in iptables, end result is low memory footprint, it should not be a dovecot solotion
I would not see fail2ban as the only solution. On the mta I use both dnsbl and fail2ban and both help in their own ways to reduce/limit unwanted connections.
I wouldn't consider adding large numbers of rules to iptables but I would consider querying a dnsbl which contained large numbers of ips, since the management of the data is then off the server.
John
On 7/2/2013 6:21 PM, John Fawcett wrote:
dnsbl's are a popular method to prevent listed ips from making connections to mta software.
cf. postscreen_dnsbl_sites in postfix
Would it be possible to introduce such a feature in dovecot, so that connections can be denied based on a dnsbl lookup (where the precise dnsbls used are configurable)?
John
Let's back up a bit. This does not seem like a feature that Dovecot needs.
Rather, what problem are you trying to solve? Maybe there is an existing or better way to accomplish it.
Dem
On 7/2/2013 8:32 PM, Professa Dementia wrote:
On 7/2/2013 6:21 PM, John Fawcett wrote:
dnsbl's are a popular method to prevent listed ips from making connections to mta software.
cf. postscreen_dnsbl_sites in postfix
Would it be possible to introduce such a feature in dovecot, so that connections can be denied based on a dnsbl lookup (where the precise dnsbls used are configurable)?
John
Let's back up a bit. This does not seem like a feature that Dovecot needs.
Rather, what problem are you trying to solve? Maybe there is an existing or better way to accomplish it.
Based on John's recent thread on postfix-users on the same general subject, I'd guess he's trying to stop rouge/malicious connections.
-- Stan
On 7/2/2013 7:11 PM, Stan Hoeppner wrote:
On 7/2/2013 8:32 PM, Professa Dementia wrote:
On 7/2/2013 6:21 PM, John Fawcett wrote:
dnsbl's are a popular method to prevent listed ips from making connections to mta software.
cf. postscreen_dnsbl_sites in postfix
Would it be possible to introduce such a feature in dovecot, so that connections can be denied based on a dnsbl lookup (where the precise dnsbls used are configurable)?
John
Let's back up a bit. This does not seem like a feature that Dovecot needs.
Rather, what problem are you trying to solve? Maybe there is an existing or better way to accomplish it.
Based on John's recent thread on postfix-users on the same general subject, I'd guess he's trying to stop rouge/malicious connections.
That's my point. A self run IP blackhole list is almost useless. Distributed RBLs are much more effective. However, existing ones are based on spam sources, not malicious connections to POP or IMAP servers.
Knowing the problem would be beneficial in determining a good solution. For certain types of connection abuse, Fail2Ban works remarkably well. But, without knowing his exact problem, it may not be the correct solution.
Dem
On 03/07/13 05:24, Professa Dementia wrote:
On 7/2/2013 7:11 PM, Stan Hoeppner wrote:
On 7/2/2013 8:32 PM, Professa Dementia wrote:
On 7/2/2013 6:21 PM, John Fawcett wrote:
dnsbl's are a popular method to prevent listed ips from making connections to mta software.
cf. postscreen_dnsbl_sites in postfix
Would it be possible to introduce such a feature in dovecot, so that connections can be denied based on a dnsbl lookup (where the precise dnsbls used are configurable)?
John
Let's back up a bit. This does not seem like a feature that Dovecot needs.
Rather, what problem are you trying to solve? Maybe there is an existing or better way to accomplish it. Based on John's recent thread on postfix-users on the same general subject, I'd guess he's trying to stop rouge/malicious connections.
That's my point. A self run IP blackhole list is almost useless. Distributed RBLs are much more effective. However, existing ones are based on spam sources, not malicious connections to POP or IMAP servers.
Knowing the problem would be beneficial in determining a good solution. For certain types of connection abuse, Fail2Ban works remarkably well. But, without knowing his exact problem, it may not be the correct solution.
Dem The point is to stop spambot connections to pop and imap (which are usually done to try and steal credentials).
I already use fail2ban to stop brute force attacks but that means that each one has to be allowed to connect a specified number of times and trigger the filter.
I was imagining a distributed solution which is already in use in many mtas applied also to imap and pop so that connections could be stopped from the first one.
I am assuming that if there is such a feature then data is available (e.g. sorbs) or if not yet being collected that it could be done.
John
On 7/3/2013 12:35 AM, John Fawcett wrote:
The point is to stop spambot connections to pop and imap (which are usually done to try and steal credentials).
This is not the usual way spambots work. Generally, spambots scrape addresses from various sources in order to get lists of emails to send spam to.
What you seem to be experiencing may be zombie nets trying to brute force credentials so they can then send spam from compromised accounts. This is a different beast with a different solution.
Regardless, you have a spcific problem that needs addressing.
I ran an ISP for almost two decades and have dealt with these issues myself. My recommendations:
- Enforce strong user passwords. I use 12 characters minimum. 14 characters or more would be better, but this length starts to make it hard for mere humans to remember. Enforce a rule that the password contains at least 2 or 3 of the following: lower case letter, upper case letter, digit, and symbol which is not one of the prior three.
Some systems require the user's password have all four. This actually weakens the password (if you care to know why, I can go into the math in a later post).
After enforcing your chosen rules, run the password through cracklib before accepting it from the user. Or even better, what I started doing was having the system generate passwords and not let the user choose their own. Initially people grumbled a bit, but they soon got used to it and security was much better.
- Fail2Ban with rules that seem like they are pretty weak, but trust me, they work fine and you limit complaints from users.
a) If you get 3 invalid login attempts within a minute from more than 1 IP address, block that login for 10 minutes. If you have blocked a login and another attempt to log in to that account is made then tarpit that connection. Usually 60 seconds is sufficient. Do not extend the original block time past the original 10 minutes. b) If you get 5 invalid login attempts within a minute from the same IP, block that IP for 5 minutes. This is usually a valid user who forgot their password, as opposed to a) which is usually a malicious third party.
Some of this you can do with off the shelf tools, some of it may require some glue code (Perl or Python works nicely) on your part. If you can implement this, it will stop the abuse cold.
- provides security and makes brute forcing infeasible. 2) helps reduce load on your systems.
I was imagining a distributed solution which is already in use in many mtas applied also to imap and pop so that connections could be stopped from the first one.
I am assuming that if there is such a feature then data is available (e.g. sorbs) or if not yet being collected that it could be done.
I feel your pain and frustration. I do not believe there is an RBL list of offending IP's for brute force attacks and I think one would be hard to build and keep up to date enough to be useful, since most of these systems are compromised home computers, but they get fixed and there is a lot of turnover - infected systems are repaired and new ones infected.
Most of them are in the far east, so if you do not mind applying a cudgel to the problem, you can block entire ranges of IPs altogether. Of course, one of your users traveling to one of those areas would need to use some other method to access email (mobile device, webmail, etc).
Dem
On 7/3/2013 12:35 AM, John Fawcett wrote:
The point is to stop spambot connections to pop and imap (which are usually done to try and steal credentials). This is not the usual way spambots work. Generally, spambots scrape addresses from various sources in order to get lists of emails to send spam to.
What you seem to be experiencing may be zombie nets trying to brute force credentials so they can then send spam from compromised accounts. This is a different beast with a different solution. Yes I have evidence that passwords found by brute force on pop3 were then used to send email via smtp.
Regardless, you have a spcific problem that needs addressing.
I ran an ISP for almost two decades and have dealt with these issues myself. My recommendations:
- Enforce strong user passwords. I use 12 characters minimum. 14 characters or more would be better, but this length starts to make it hard for mere humans to remember. Enforce a rule that the password contains at least 2 or 3 of the following: lower case letter, upper case letter, digit, and symbol which is not one of the prior three.
Some systems require the user's password have all four. This actually weakens the password (if you care to know why, I can go into the math in a later post).
After enforcing your chosen rules, run the password through cracklib before accepting it from the user. Or even better, what I started doing was having the system generate passwords and not let the user choose their own. Initially people grumbled a bit, but they soon got used to it and security was much better.
- Fail2Ban with rules that seem like they are pretty weak, but trust me, they work fine and you limit complaints from users.
a) If you get 3 invalid login attempts within a minute from more than 1 IP address, block that login for 10 minutes. If you have blocked a login and another attempt to log in to that account is made then tarpit that connection. Usually 60 seconds is sufficient. Do not extend the original block time past the original 10 minutes. b) If you get 5 invalid login attempts within a minute from the same IP, block that IP for 5 minutes. This is usually a valid user who forgot their password, as opposed to a) which is usually a malicious third party.
Some of this you can do with off the shelf tools, some of it may require some glue code (Perl or Python works nicely) on your part. If you can implement this, it will stop the abuse cold.
- provides security and makes brute forcing infeasible. 2) helps reduce load on your systems.
On 03/07/13 12:47, Professa Dementia wrote: these look like good suggestions.
I was imagining a distributed solution which is already in use in many mtas applied also to imap and pop so that connections could be stopped from the first one.
I am assuming that if there is such a feature then data is available (e.g. sorbs) or if not yet being collected that it could be done. I feel your pain and frustration. I do not believe there is an RBL list of offending IP's for brute force attacks and I think one would be hard to build and keep up to date enough to be useful, since most of these systems are compromised home computers, but they get fixed and there is a lot of turnover - infected systems are repaired and new ones infected.
Most of them are in the far east, so if you do not mind applying a cudgel to the problem, you can block entire ranges of IPs altogether. Of course, one of your users traveling to one of those areas would need to use some other method to access email (mobile device, webmail, etc).
Dem I take the point that ips in such a dnsbl would probably have a short life span.
However, whatever may be the difficulties, such a list would not make sense if there is no functionality in the server to use it. I am going to look into Timo's suggestion though on tcpwrappers to see how this would work.
John
Am 03.07.2013 05:24, schrieb Professa Dementia:
On 7/2/2013 7:11 PM, Stan Hoeppner wrote:
On 7/2/2013 8:32 PM, Professa Dementia wrote:
On 7/2/2013 6:21 PM, John Fawcett wrote:
dnsbl's are a popular method to prevent listed ips from making connections to mta software.
cf. postscreen_dnsbl_sites in postfix
Would it be possible to introduce such a feature in dovecot, so that connections can be denied based on a dnsbl lookup (where the precise dnsbls used are configurable)?
John
Let's back up a bit. This does not seem like a feature that Dovecot needs.
Rather, what problem are you trying to solve? Maybe there is an existing or better way to accomplish it.
Based on John's recent thread on postfix-users on the same general subject, I'd guess he's trying to stop rouge/malicious connections.
That's my point. A self run IP blackhole list is almost useless. Distributed RBLs are much more effective. However, existing ones are based on spam sources, not malicious connections to POP or IMAP servers.
Knowing the problem would be beneficial in determining a good solution. For certain types of connection abuse, Fail2Ban works remarkably well. But, without knowing his exact problem, it may not be the correct solution.
Dem
i think an auto dynamic user/ip based con limit might be best , but i guess it will be difficult to implement, for this you need some log analyser counting wrong auth user/ip pairs, invoking some action on the fly , like throttle user from ip, and auto high user/ip login throttle by adjustable time periods , also there must be some whitelist possible
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On Wed, 03 Jul 2013 09:37:14 +0200 Robert Schetterer rs@sys4.de wrote:
Am 03.07.2013 05:24, schrieb Professa Dementia:
On 7/2/2013 7:11 PM, Stan Hoeppner wrote:
On 7/2/2013 8:32 PM, Professa Dementia wrote:
On 7/2/2013 6:21 PM, John Fawcett wrote:
dnsbl's are a popular method to prevent listed ips from making connections to mta software.
cf. postscreen_dnsbl_sites in postfix
Would it be possible to introduce such a feature in dovecot, so that connections can be denied based on a dnsbl lookup (where the precise dnsbls used are configurable)?
John
Let's back up a bit. This does not seem like a feature that Dovecot needs.
Rather, what problem are you trying to solve? Maybe there is an existing or better way to accomplish it.
Based on John's recent thread on postfix-users on the same general subject, I'd guess he's trying to stop rouge/malicious connections.
That's my point. A self run IP blackhole list is almost useless. Distributed RBLs are much more effective. However, existing ones are based on spam sources, not malicious connections to POP or IMAP servers.
Knowing the problem would be beneficial in determining a good solution. For certain types of connection abuse, Fail2Ban works remarkably well. But, without knowing his exact problem, it may not be the correct solution.
Dem
i think an auto dynamic user/ip based con limit might be best , but i guess it will be difficult to implement, for this you need some log analyser counting wrong auth user/ip pairs, invoking some action on the fly , like throttle user from ip, and auto high user/ip login throttle by adjustable time periods , also there must be some whitelist possible
One possibility for the connection limiting could be using the iptables hashlimit module. Getting the correct values for it might be a bit tricky, but maybe initially you could do logging on a dedicated iptables chain instead of drops to get some sample usage statistics. Then again, you should also be careful with hashlimit if you have large number of users coming from the same IP address (ISPs using NAT etc).
Best regards
-- Branko Majic Jabber: branko@majic.rs Please use only Free formats when sending attachments to me.
Бранко Мајић Џабер: branko@majic.rs Молим вас да додатке шаљете искључиво у слободним форматима.
Am 03.07.2013 04:11, schrieb Stan Hoeppner:
On 7/2/2013 8:32 PM, Professa Dementia wrote:
On 7/2/2013 6:21 PM, John Fawcett wrote:
dnsbl's are a popular method to prevent listed ips from making connections to mta software.
cf. postscreen_dnsbl_sites in postfix
Would it be possible to introduce such a feature in dovecot, so that connections can be denied based on a dnsbl lookup (where the precise dnsbls used are configurable)?
John
Let's back up a bit. This does not seem like a feature that Dovecot needs.
Rather, what problem are you trying to solve? Maybe there is an existing or better way to accomplish it.
Based on John's recent thread on postfix-users on the same general subject, I'd guess he's trying to stop rouge/malicious connections.
so perhaps fail2ban might help, or construct something out of syslog and iptables recent, or use dovecot deny etc
http://wiki2.dovecot.org/HowTo/Fail2Ban http://wiki2.dovecot.org/Authentication/RestrictAccess http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets
only german, but code should understandable anyway for new coding ideas
http://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-mo...
usually fail2ban is enough for brute force pop3/imap, but blocking ips is a problem ever with nat clients
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On 03/07/13 09:26, Robert Schetterer wrote:
Am 03.07.2013 04:11, schrieb Stan Hoeppner:
On 7/2/2013 8:32 PM, Professa Dementia wrote:
On 7/2/2013 6:21 PM, John Fawcett wrote:
dnsbl's are a popular method to prevent listed ips from making connections to mta software.
cf. postscreen_dnsbl_sites in postfix
Would it be possible to introduce such a feature in dovecot, so that connections can be denied based on a dnsbl lookup (where the precise dnsbls used are configurable)?
John
Let's back up a bit. This does not seem like a feature that Dovecot needs.
Rather, what problem are you trying to solve? Maybe there is an existing or better way to accomplish it. Based on John's recent thread on postfix-users on the same general subject, I'd guess he's trying to stop rouge/malicious connections.
so perhaps fail2ban might help, or construct something out of syslog and iptables recent, or use dovecot deny etc
http://wiki2.dovecot.org/HowTo/Fail2Ban http://wiki2.dovecot.org/Authentication/RestrictAccess http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets
only german, but code should understandable anyway for new coding ideas
http://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-mo...
usually fail2ban is enough for brute force pop3/imap, but blocking ips is a problem ever with nat clients
Best Regards MfG Robert Schetterer
Thanks Robert, I saw that article and implemented that in fail2ban to stop repeated hammering attempts on the server from the same clients already rejected by dnsbl in postfix.
I was thinking of extending the mechanism to imap/pop.
John
John Fawcett skrev den 2013-07-03 03:21:
dnsbl's are a popular method to prevent listed ips from making connections to mta software.
hmm are pop3/imap clients not authed users ?
well done
-- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
On 03/07/13 18:40, Benny Pedersen wrote:
John Fawcett skrev den 2013-07-03 03:21:
dnsbl's are a popular method to prevent listed ips from making connections to mta software.
hmm are pop3/imap clients not authed users ?
well done
in this case no, I am talking about connections from zombies.
John Fawcett skrev den 2013-07-03 20:41:
in this case no, I am talking about connections from zombies.
block client ip of the zombies, this is what iptables is for, or change rules to only have ports open for clients location, well dovecot supports ipblocking, but imho its not the right place to setup
-- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Am 03.07.2013 20:41, schrieb John Fawcett:
On 03/07/13 18:40, Benny Pedersen wrote:
John Fawcett skrev den 2013-07-03 03:21:
dnsbl's are a popular method to prevent listed ips from making connections to mta software.
hmm are pop3/imap clients not authed users ?
well done
in this case no, I am talking about connections from zombies
have fun - most RBL's contains a lot of dialup-addresses which makes sense to get rejected on a MTA until auth but stupid to block completly without abuse users
Am 03.07.2013 20:53, schrieb Reindl Harald:
Am 03.07.2013 20:41, schrieb John Fawcett:
On 03/07/13 18:40, Benny Pedersen wrote:
John Fawcett skrev den 2013-07-03 03:21:
dnsbl's are a popular method to prevent listed ips from making connections to mta software.
hmm are pop3/imap clients not authed users ?
well done
in this case no, I am talking about connections from zombies
have fun - most RBL's contains a lot of dialup-addresses which makes sense to get rejected on a MTA until auth but stupid to block completly without abuse users
just for info
a botnet check ip service was anounced
https://www.check-and-secure.com/ipcheck/_en/index.html
it seems that they have some db with botnet ips, with "ttl" 15 mins but for sure this isnt a "traditional" rbl
however it shows some people work on that stuff
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
participants (8)
-
Benny Pedersen
-
Branko Majic
-
John Fawcett
-
Professa Dementia
-
Reindl Harald
-
Robert Schetterer
-
Stan Hoeppner
-
Timo Sirainen