[Dovecot] Using checkpassword to block ips?

[Larry Ludwig]

> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Sun, 15 Jun 2008 19:04:05 -0400
> From: "Larry Ludwig" <larrylud at gmail.com>
> Subject: [Dovecot] Using checkpassword to block ips?
> To: <dovecot at dovecot.org>
> Message-ID: <000601c8cf3c$1cd11130$0605a8c0 at tank>
> Content-Type: text/plain; charset="us-ascii"
> 
> Hi new to the list, but we are a long time user of Dovecot 
> via DirectAdmin
> control panel.
>  
> We, like everyone else, are seeing an increase in dictionary 
> attacks of
> POP/IMAP.  We want to block them.
>  
> I've searched the mailing list and found a few recommended 
> fail2ban, which
> really won't work for our case. We need to do this over many 
> machines and
> not one or two.  We also like to gather info at the network 
> wide level.
> Hackers know about attacking specific server/ips too often 
> and we've seen
> much more distributed attacks that go under the radar of one server
> monitoring setup.
>  
> We've designed our own system and use a local RBL to 
> distribute the blocked
> IPs.  For ftp and ssh attacks it's worked very well.  We 
> would like to use
> the RBL to do the same with dovecot.
>  
> >From my research it appears the best way to do this (and 
> only currently) is
> with the checkpassword option.  I haven't gotten it to work 
> yet.  We have:
>  
>         passdb checkpassword {
>                 args = /usr/local/bin/checkpassword 
>                 deny = yes
>         }
>  
> As the first auth..  This should reject the connection if the 
> IP matches.
> checkpassword can see TCPREMOTEIP enviornmental variable.
>  
> In the checkpassword script we have:
>  
> #!/usr/bin/perl
>  
> sub read_uinfo {
>   my($user,$passwd,$apop_ts);
>   open X,"<&=3" or exit 111;
>   $_ = <X>;
>   # ugly; should use sysread instead
>   ($user,$passwd,$apop_ts) = /^(.*)\0(.*)\0(.*)\0/;
>   while (<X>) {};
>   close X;
>   return ($user,$passwd,$apop_ts);
> }
>  
> ($user,$passwd,$apop_ts)=$debug?(shift,shift,shift):read_uinfo;
>  
> $ipaddr=$ENV{TCPREMOTEIP};
> $result=system("/usr/sbin/checkdnsbl $ipaddr");
> if ( $result == 0) {
>         @ENV{"SHELL","USER","HOME"} = ($shell,$user,$home);
>         exit 0;
> }
> else {
>         exit 1;
> }
>  
> My questions are as follows:
> - Can the deny = yes be used with checkpassword?
> - What am I doing wrong with the script?  It should reject only the
> connections that are in the RBL.  It blocks all
>  

Bump..

No one can help with this setup or issue?

-L
--
Larry Ludwig
Empowering Media
1-866-792-0489 x600
Managed and Unmanaged Xen VPSes
http://www.hostcube.com/