[Dovecot] No tcp wrappers, other ideas to help stop brute force attacks?
I'm looking for a way to deny access to dovecot from certain IP addresses, basically to help prevent brute force attacks on the server.
Right now I'm using denyhosts which scans /var/log/secure for authentication failures which then can add an entry to /etc/hosts.deny, but since dovecot doesn't have tcp wrappers support, that doesn't do anything.
It doesn't look like I can run dovecot run xinetd.
Any other ideas to help protect dovecot from brute force attacks? I don't think pam can help, can it?
Otherwise I need to figure out a way to have denyhosts trigger iptables rules or something, or maybe there's another application that will work?
-Dave
On Wed, 30 Aug 2006, David Rees might have said:
I'm looking for a way to deny access to dovecot from certain IP addresses, basically to help prevent brute force attacks on the server.
Right now I'm using denyhosts which scans /var/log/secure for authentication failures which then can add an entry to /etc/hosts.deny, but since dovecot doesn't have tcp wrappers support, that doesn't do anything.
It doesn't look like I can run dovecot run xinetd.
Any other ideas to help protect dovecot from brute force attacks? I don't think pam can help, can it?
Otherwise I need to figure out a way to have denyhosts trigger iptables rules or something, or maybe there's another application that will work?
-Dave
What about iptables instead of tcp_wrappers or /etc/hosts.deny?
On 8/30/06, Mike mikee@mikee.ath.cx wrote:
Otherwise I need to figure out a way to have denyhosts trigger iptables rules or something, or maybe there's another application that will work?
What about iptables instead of tcp_wrappers or /etc/hosts.deny?
Yeah, that's my best guess right now, I need to figure out how to make denyhosts trigger iptables rules or find another tool which can... but I haven't found anything yet.
-Dave
Quoting David Rees drees76@gmail.com:
On 8/30/06, Mike mikee@mikee.ath.cx wrote:
Otherwise I need to figure out a way to have denyhosts trigger iptables rules or something, or maybe there's another application that will work?
What about iptables instead of tcp_wrappers or /etc/hosts.deny?
Yeah, that's my best guess right now, I need to figure out how to make denyhosts trigger iptables rules or find another tool which can... but I haven't found anything yet.
-Dave
Try fail2ban (fail2ban.sourceforge.net I think).
-- Eric Rostetter The Department of Physics The University of Texas at Austin
Go Longhorns!
On 8/30/06, Eric Rostetter rostetter@mail.utexas.edu wrote:
Quoting David Rees drees76@gmail.com:
On 8/30/06, Mike mikee@mikee.ath.cx wrote:
Otherwise I need to figure out a way to have denyhosts trigger iptables rules or something, or maybe there's another application that will work?
What about iptables instead of tcp_wrappers or /etc/hosts.deny?
Yeah, that's my best guess right now, I need to figure out how to make denyhosts trigger iptables rules or find another tool which can... but I haven't found anything yet.
Try fail2ban (fail2ban.sourceforge.net I think).
That looks like it will work, thanks, I'll give it a shot.
-Dave
On 8/30/06, David Rees drees76@gmail.com wrote:
On 8/30/06, Eric Rostetter rostetter@mail.utexas.edu wrote:
Try fail2ban (fail2ban.sourceforge.net I think).
That looks like it will work, thanks, I'll give it a shot.
Got fail2ban working, seems to work perfectly. I also used the tips from http://www.the-art-of-web.com/system/fail2ban/ If anyone wants the config file I'm using, let me know. I'm also using it to block sshd attacks too.
-Dave
On 8/30/06, David Rees drees76@gmail.com wrote:
Got fail2ban working, seems to work perfectly. I also used the tips from http://www.the-art-of-web.com/system/fail2ban/ If anyone wants the config file I'm using, let me know. I'm also using it to block sshd attacks too.
I had 2 people email me privately for the configuration, you can find my fail2ban.conf here: http://drees76.blogspot.com/2006/08/fail2ban-dovecot-and-brute-force.html
-Dave
David Rees wrote:
On 8/30/06, David Rees drees76@gmail.com wrote:
Got fail2ban working, seems to work perfectly. I also used the tips from http://www.the-art-of-web.com/system/fail2ban/ If anyone wants the config file I'm using, let me know. I'm also using it to block sshd attacks too.
I had 2 people email me privately for the configuration, you can find my fail2ban.conf here: http://drees76.blogspot.com/2006/08/fail2ban-dovecot-and-brute-force.html
Great, thanks!
One question - I'm a dummie when it comes to firewalls (in general) or IPTables (in particular) -
In the SSH section, how hard would it be to add a rule to immediately ban any IP that tried to log into SSH as root? I always disable remote root login, and never allow anyone near my box that doesn't know (and agree with the reason) why... so anyone who ever tries to is an unwelcome intruder - and if someone forgets, they'll just have to call me and confess, and I'll have to remove the ban manually.
Anyway, many thanks for this - I'll have to spend some time studying it...
--
Best regards,
Charles
On Donnerstag 31 August 2006 20:42, David Rees wrote:
On 8/30/06, David Rees drees76@gmail.com wrote: I had 2 people email me privately for the configuration, you can find my fail2ban.conf here:
http://drees76.blogspot.com/2006/08/fail2ban-dovecot-and-brute-force.html
Thanks a lot, I was one of them. In the meantime I figured it out myself, turning on Dovecot's auth_verbose to get more info.
The major difference to your config is that I put a limit to the iptables logging rule with " -m limit --limit 6/m" so that following attempts cannot flood the log.
After quite a few tests I am happy with fail2ban, it already catched one attempt on one and four on another server last night.
Amon.
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
David Rees wrote:
I'm looking for a way to deny access to dovecot from certain IP addresses, basically to help prevent brute force attacks on the server.
IMNSHO, this is a funtion of your firewall; it's not really dovecot's business. Look at some of the freeware IDS systems out there, which will monitor system logs and adjust firewall rules on the fly...
John
-- John Peacock Director of Information Research and Technology Rowman & Littlefield Publishing Group 4501 Forbes Boulevard Suite H Lanham, MD 20706 301-459-3366 x.5010 fax 301-429-5748
On 8/30/06, John Peacock jpeacock@rowman.com wrote:
David Rees wrote:
I'm looking for a way to deny access to dovecot from certain IP addresses, basically to help prevent brute force attacks on the server.
IMNSHO, this is a funtion of your firewall; it's not really dovecot's business. Look at some of the freeware IDS systems out there, which will monitor system logs and adjust firewall rules on the fly...
Got any suggestions on an IDS which may be suitable? Can't really be part of the firewall as the firewall in this case is a separate system and doesn't have the capability to detect failed dovecot logins, especially if they are using SSL.
-Dave
David Rees wrote:
Got any suggestions on an IDS which may be suitable? Can't really be part of the firewall as the firewall in this case is a separate system and doesn't have the capability to detect failed dovecot logins, especially if they are using SSL.
I'm still trying to figure that out for myself. ;-) Not knowing what firewall you are using, at least some of them support programmatically adding forbidden hosts (I know that Watchguard does).
As far as IDS's, Snort:
http://www.snort.org/is one of the better known ones, and as soon as I can figure out how to slow the rotation of the Earth to provide for 50 hour days, I'll have some time to check it out... :0
John
-- John Peacock Director of Information Research and Technology Rowman & Littlefield Publishing Group 4501 Forbes Boulevard Suite H Lanham, MD 20706 301-459-3366 x.5010 fax 301-429-5748
http://www.ossec.net/ fail2ban looks interesting too, but doesn't appear to allow whitelisting? That could be bad.. Ken Pacific.Net
David Rees wrote:
I'm looking for a way to deny access to dovecot from certain IP addresses, basically to help prevent brute force attacks on the server.
Right now I'm using denyhosts which scans /var/log/secure for authentication failures which then can add an entry to /etc/hosts.deny, but since dovecot doesn't have tcp wrappers support, that doesn't do anything.
It doesn't look like I can run dovecot run xinetd.
Any other ideas to help protect dovecot from brute force attacks? I don't think pam can help, can it?
Otherwise I need to figure out a way to have denyhosts trigger iptables rules or something, or maybe there's another application that will work?
-Dave
Ken A wrote:
http://www.ossec.net/ fail2ban looks interesting too, but doesn't appear to allow whitelisting? That could be bad.. Ken Pacific.Net
The next release of BlockSSHd (http://blocksshd.sourceforge.net/) will support blocking Dovecot authentication failures using iptables. I am just re-writing the blocking engine at the moment.
Regards
James Turnbull
-- James Turnbull james@lovedthanlost.net
Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/)
Hardening Linux (http://www.amazon.com/gp/product/1590594444/)
PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40)
James Turnbull wrote:
Ken A wrote:
http://www.ossec.net/ fail2ban looks interesting too, but doesn't appear to allow whitelisting? That could be bad.. Ken Pacific.Net
The next release of BlockSSHd (http://blocksshd.sourceforge.net/) will support blocking Dovecot authentication failures using iptables. I am just re-writing the blocking engine at the moment.
Cool! I need this for ssh dictionary attacks anyways, so I'll test it out now and the when the Dovecot changes are ready, I'll test it further...
John
-- John Peacock Director of Information Research and Technology Rowman & Littlefield Publishing Group 4501 Forbes Blvd Suite H Lanham, MD 20706 301-459-3366 x.5010 fax 301-429-5747
On 2006-08-30 19:57:00 -0400, John Peacock wrote:
Cool! I need this for ssh dictionary attacks anyways, so I'll test it out now and the when the Dovecot changes are ready, I'll test it further...
[[[ iptables -A input_ext -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force attack " iptables -A input_ext -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP iptables -A input_ext -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT ]]]
works perfectly for me. and i dont need to rely on log files
darix
-- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org
participants (9)
-
Amon Ott
-
Charles Marcus
-
David Rees
-
Eric Rostetter
-
James Turnbull
-
John Peacock
-
Ken A
-
Marcus Rueckert
-
Mike