[Dovecot] script to detect dictionary attacks

Professa Dementia professa at dementianati.com
Sun Apr 7 00:48:00 EEST 2013 

On 4/6/2013 2:13 PM, Max Pyziur wrote:
> On Sat, 6 Apr 2013, Reindl Harald wrote:

>> if it is some ISP from a country far away -> block it
>> if it is the fivth attempt from this ISP -> block the whole subnet
>>
>> if it is a major ISP of the country i live (asutria) -> only absue
>> mail to the ISP
>
> I understand the logic; I set a low threshold to label something being a
> threat for anything originating in China; the threshold is higher for
> things closer to home, since most of the traffic to the one server I
> control is from there.
>


The problem with a non-automated system, such as manually blocking 
China, is that it does not easily and quickly adapt.

Both of the following I have experienced:

1) Excessive spam and hacking from China.  I blocked China.  Then I got 
a client that did business in China and had a branch office there. 
Suddenly I cannot block login attempts from China.  And the users 
complains loudly about the excessive reject rate of legitimate emails 
from Chinese customers due to the spam filters.  Also, legitimate users 
in China pick weak passwords which get hacked.  Convincing the customer 
to improve passwords, security, use a VPN for Chinese users to access 
email so I can block China again were unsuccessful.

While this is a bit beyond the scope of this list, the underlying 
problem is that in many far east countries, hacking is not illegal and 
thus there is no fear of getting caught, since there is no punishment. 
The real solution is to change those laws and have those countries 
enforce the laws.  Good luck with that, however.


2) I tried compiling a list of IPs used for hacking.  As a test, I 
manually put them into the firewall to see if that stops anything. 
Results were that a single IP will attempt to brute force several 
hundred passwords, but then I never hear from that IP again, so the 
firewall block was pointless.  However another, seemingly unrelated IP, 
takes up the brute force attack.  Without an automated system, like 
fail2ban, I am just playing Whack-A-Mole and never actually manage to 
block any attempts.

In a different scenario, I also see 1-2 attempts from each IP in a group 
of thousands of IPs.  These IPs do have legitimate users within them, so 
I cannot block whole IP ranges.

All these indicate that the brute force attacks are being implemented on 
zombie nets.

I do not see a perfect solution, or even a good one.  A mediocre 
solution is a combination of fail2ban (which I have implemented), and 
enforcing strong passwords.

A feature that would be nice is if Dovecot could detect that X bad 
attempts for a given User ID happen in Y time, then that User ID is 
blocked (always gives back a bad authentication, even if the correct 
password is entered) for Z time.  Also, Dovecot could slow down its 
reply, much like a tarpit.  These would be configurable.

For example, if 3 bad password attempts are received for user at domain.com 
within 2 minutes, then the user is blocked for 10 minutes.  That with 
strong passwords will make the system reasonably safe from zombie net 
attacks.  Also, the tarpit feature would slow down the attacks and ease 
the bandwidth issue.

I am very willing to work with anyone on a solution that works better 
than these methods.  As I see it, in order for a blacklist to work, it 
has to be large and distributed, like the spam blacklists are.  Dovecot 
would need to report to the blacklist cloud, any IPs that it detects are 
being used to launch attacks.  This is a big undertaking.

Dem

More information about the dovecot mailing list