[Dovecot] Account lockout option?
I'm currently using postfix and dovecot, with dovecot authentication (with saslauthd) using mysql for accounts
Is there any option available for me to help inhibit/prevent brute-force login attempts?
Thx.
Rick
Rick Steeves http://www.sinister.net
"The journey is the destination"
Is there any option available for me to help inhibit/prevent brute-force login attempts?
I (and many others) use fail2ban. It works outside of dovecot, et al, by tailing your log files. When it finds a configurable number of failed attempts in a configurable time window, it blocks the remote IP address for a configurable amount of time. It can protect you against a lot more than failed email login attempts. I'm quite happy with it. I typically turn back several brute force SSH login attempts every day. I also have it watching my dovecot logins, but so far don't get many attempts there.
WJCarpenter wrote:
Is there any option available for me to help inhibit/prevent brute-force login attempts?
I (and many others) use fail2ban. It works outside of dovecot, et al, by tailing your log files. When it finds a configurable
Just to document that solution. This watches postfix AND dovecot logs since I found botnets slowly trying both alternately.
Create filter.d/mail.conf
>>>>>>>>>>> [Definition]
# Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # # Match: # Mar 2 15:07:09 mail1 dovecot: auth(default): digest-md5(blah@asdf.com,212.183.136.194): password mismatch # Feb 26 19:32:52 mail1 dovecot: auth-worker(default): sql(blah@asdf.com,212.227.250.38): unknown user # Mar 2 14:45:16 mail1 postfix/smtpd[27401]: warning: c70-165.i07-18.onvol.net[92.251.70.165]: SASL PLAIN authentication failed: # failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$ failregex = dovecot: auth.*\(.*,<HOST>\): (unknown user|password mismatch)$
# Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
>>>>>>>>>>>>
Then in jail.conf add lines like:
[mail-iptables]
enabled = true filter = mail action = iptables-multiport-log[name=mail, port="smtp,smtps,submission,imap,imaps,pop3,pop3s", protocol=tcp] sendmail-whois[name=mail, dest=postmaster@yourdomain.com, sender=fail2ban@yourdomain.com] logpath = /var/log/mail.log bantime = 3600
Hope this helps
Ed W
Ed W wrote:
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$ failregex = dovecot: auth.*\(.*,<HOST>\): (unknown user|password mismatch)$
Ed, have you found that both failregex lines are actually being used here, as in my experience, only the first failregex line is used?
Maybe this has changed in the most recent version of fail2ban, but I have found that I had to create a separate filter file if I wanted to used a second failregex against the same log file and also add a second jail.conf entry.
Bill
Bill Landry wrote:
Ed W wrote:
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$ failregex = dovecot: auth.*\(.*,<HOST>\): (unknown user|password mismatch)$
Ed, have you found that both failregex lines are actually being used here, as in my experience, only the first failregex line is used?
Oh! You mean did I actually test this stuff before assuming it was all working perfectly
(shuffling of feet...)
Well, ok, perhaps it doesn't...
Looking at the config files it would appear that proftpd.conf and sshd.conf set use a single "failregex=" line and then put multiple regexps on each following line. I guess this is the correct way to do it...
The benefit of only using one .conf file is that if some cheeky scammer is alternately trying your smtp, pop, imap for a breakin then it takes more attempts to snag them
The current attacks against my server are very slow attacks from a distributed botnet and fail2ban is hardly touching them. I see dozens of IPs trying at no more than one per minute and it would appear they swap between smtp and pop ports (I see the same from any given IP).
Some IPs seem much more common and fail2ban is occasionally snagging an IP which spews a bit faster, but sometimes each IP will try only once or twice a day.
Bit of a bugger to stop really...
Ed W
Ed W wrote:
Bill Landry wrote:
Ed W wrote:
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$ failregex = dovecot: auth.*\(.*,<HOST>\): (unknown user|password mismatch)$
Ed, have you found that both failregex lines are actually being used here, as in my experience, only the first failregex line is used?
Oh! You mean did I actually test this stuff before assuming it was all working perfectly
(shuffling of feet...)
Well, ok, perhaps it doesn't...
Looking at the config files it would appear that proftpd.conf and sshd.conf set use a single "failregex=" line and then put multiple regexps on each following line. I guess this is the correct way to do it...
The benefit of only using one .conf file is that if some cheeky scammer is alternately trying your smtp, pop, imap for a breakin then it takes more attempts to snag them
The current attacks against my server are very slow attacks from a distributed botnet and fail2ban is hardly touching them. I see dozens of IPs trying at no more than one per minute and it would appear they swap between smtp and pop ports (I see the same from any given IP).
Some IPs seem much more common and fail2ban is occasionally snagging an IP which spews a bit faster, but sometimes each IP will try only once or twice a day.
Bit of a bugger to stop really...
What is your "maxretry =" set to for your dovecot jail.conf entry, as you did not show it if your initial email? If they are trying once per minute (as you stated above), and you have, for example, your "maxretry = 5", then after 5 failed attempts (in your scenario, 5 minutes), they will be locked out for 3600 seconds (1 hour). And if they keep trying, they will stay blocked until there is at least 1 hour between attempts.
Fail2ban is awesome, I have it set to monitor all of my running services.
Bill
On 3/19/2009, Ed W (lists@wildgooses.com) wrote:
The current attacks against my server are very slow attacks from a distributed botnet and fail2ban is hardly touching them. I see dozens of IPs trying at no more than one per minute and it would appear they swap between smtp and pop ports (I see the same from any given IP).
Some IPs seem much more common and fail2ban is occasionally snagging an IP which spews a bit faster, but sometimes each IP will try only once or twice a day.
With such slow/limited attacks, as long as you enforce strong passwords, whats the problem?
:)
At 05:18 PM 3/19/2009, Ed W wrote:
WJCarpenter wrote:
Is there any option available for me to help inhibit/prevent brute-force login attempts?
I (and many others) use fail2ban. It works outside of dovecot, et al, by tailing your log files. When it finds a configurable
Took me a while to get this working, as I hadn't noticed the RPM that ships with CentOS5.2 is quite old, and the current instructions match just enough to be confusing.
That being said, it's now up and running and blocking ssh, dovecot, postfix, and squirrelmail traffic. I created separate filters for dovecot, postfix, and squirrelmail, and then added those sections to fail2ban.conf, and I'm off and running.
thanks for the pointer!
Rick
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 25 Mar 2009, dovecot@corwyn.net wrote:
That being said, it's now up and running and blocking ssh, dovecot, postfix, and squirrelmail traffic. I created separate filters for dovecot, postfix, and squirrelmail, and then added those sections to fail2ban.conf, and I'm off and running.
Would you put them into the Dovecot Wiki? I guess, several people will find them interesting.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBSctLdnWSIuGy1ktrAQL/jggApiuNuGO04nMyCsfyWzHdPVU/Zg9W9mPN HBnbSWKEMzbYzqdu34Ur0bwR3W3cZ1jyJDROwFE9/gupah6cVIy2Q8+YSWGNVwRt AJBuqPfakj42s6Zn3CyWrU9hhCKpmffY2F5MwBc2oG+mNiv+DmuIHa+Re5dmUQzf sbR0k+KgF4IvZew88Sj6T1ZrKGdg8B/0rvLFX6Y+/kQHmJwtfv7rf5wOY7YmnyfT 63mZv4Y/aX1OWDSC1HbcHDDwj0E6RiEfQ8qaCxAKq2+uJSMvHZ3aZZaZ77124tBp LbQSHC9fXB/cRpubhE2djqFJ3JkXLjBsjRuQOdajTsxBc1EYKcPQrQ== =JXwn -----END PGP SIGNATURE-----
participants (6)
-
Bill Landry
-
Charles Marcus
-
dovecot@corwyn.net
-
Ed W
-
Steffen Kaiser
-
WJCarpenter