[Dovecot] limiting number of login attempts from same ip

Nikolaos Milas nmilas at noa.gr
Thu Jun 16 13:12:15 EEST 2011 

On 16/6/2011 12:34 πμ, Ed W wrote:

> I don't see why fail2ban would have anything to do with ipv6 since it
> simply runs a script when something needs doing? Just adapt your script?
> Not having tried it, but possibly the regexps need tweaking also?

Thanks Ed. You could be right. It could work, *if* fail2ban engine does 
not do any particular internal processing with IP addresses in order to 
implement the rules logic (which I doubt; for example, when it adds 
iptables rules, it refers to ip address as <ip> - see below). In the 
official fail2ban site: 
http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#IPv6, 
we don't see any solution related to IPv6.

If it's feasible, I wonder why we can't find anything about that in the 
Internet or in fail2ban site. No one has done it yet? On the contrary, 
we can find ample "complaints" that fail2ban won't work with IPv6. 
Nowhere can we find ipv6 "filters" and "actions" for fail2ban. If 
someone (has time and) is sufficiently competent with 
iptables/ip6tables, then he could try to prepare such actions (and 
create filters with regex expressions to catch ipv6 events from logs 
too) and then give it a try.

For example, one could then add in jail.conf (after creating 
dovecot-pop3imap-ipv6.conf and ip6tables-multiport.conf):
   [dovecot-pop3imap-ipv6]
   enabled = true
   filter = dovecot-pop3imap-ipv6
   action = ip6tables-multiport[name=dovecot-pop3imap, 
port="pop3,pop3s,imap,imaps", protocol=tcp]
   logpath = /var/log/dovecot.log
   maxretry = 10
   findtime = 600
   bantime = 1800

My guess is that fail2ban engine must be extended to "understand" ipv6 
addresses and handle ip6tables appropriately.

> On a related note, recent kernels (and old kernels can build a module)
> implement "ipset".  This is a way to implement a named hash of
> IPs/Ports/MACs, etc.  The point is to use a single iptables rule to do
> something with your ipset, then you have the ability to dynamically
> alter the ipset as you will without needing to reload iptables rules

It sounds interesting. I'll take a look on it, when I have time. Still, 
one would have to update fail2ban (and/or other software) to use ipset 
instead of standard iptables (which will take at least some effort).

> (I believe that iptables is still unable to be altered dynamically? Each
> time you *think* you are inserting a rule, actually you are dropping the
> entire ruleset, then reinserting the entire new ruleset with one extra
> rule. This creates a window of opportunity each time you innocently
> insert a new rule. Further it explains the O(n^2) speed of running
> "iptables -A" or similar)

Actually, iptables can be altered dynamically; For example, the 
iptables-multiport action does:
     actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
     actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP

"iptables -A" runs only when fail2ban starts.

Nick

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6762 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20110616/99f12f35/attachment-0001.bin>

More information about the dovecot mailing list