Re: [Dovecot] 64.31.19.48 attempt to break into my computer
It is a great tool. Unfortunately dovecot allows infinate incorrect logins during a single session. When fail2ban has firewalled the ip its pointless as the rule only affects new sessions, not established ones. I am disappointed that the author of dovecot has no interest in adding a feature that closes the session after x auth failures. It would certainly make tools like fail2ban more effective.
----- Reply message ----- From: "John Alexander" john.alexander@preachain.org Date: Fri, Sep 23, 2011 00:13 Subject: [Dovecot] 64.31.19.48 attempt to break into my computer To: dovecot@dovecot.org
Fail2Ban is an excellent tool to deal with this sort of thing.
On Mon, 19 Sep 2011 10:05:47 -0700, Rick Baartman wrote
From my secure log:
Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48 Sep 19 01:16:44 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user aaron
Quoting Alex other@ahhyes.net:
It [fail2ban] is a great tool. Unfortunately dovecot allows infinate
incorrect logins during a single session. When fail2ban has
firewalled the ip its pointless as the rule only affects new
sessions, not established ones. I am disappointed that the author of
dovecot has no interest in adding a feature that closes the session
after x auth failures. It would certainly make tools like fail2ban
more effective.
If that is a big issue for you, you could always have fail2ban add a
dummy route:
For example: route add $IP gw 127.0.0.1
Rick
Am 2011-09-23 01:39, schrieb Rick Romero:
Quoting Alex other@ahhyes.net:
It [fail2ban] is a great tool. Unfortunately dovecot allows infinate incorrect logins during a single session. When fail2ban has firewalled the ip its pointless as the rule only affects new sessions [...] If that is a big issue for you, you could always have fail2ban add a dummy route: For example: route add $IP gw 127.0.0.1
... or configure the fail2ban actions so they apply to any traffic from the offending IP. My iptables ruleset has this action:
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
Of course, if you have users that are proxied behind the same address, just one of them would instantly kill everybody's sessions. So I agree with Alex, it would be great to limit the number of failed login attempts per connection.
-hannes
participants (3)
-
Alex
-
Hannes Erven
-
Rick Romero