[Dovecot] Logging passwords on auth failure/dealing with botnets

/dev/rob0 rob0 at gmx.co.uk
Thu Aug 22 19:45:03 EEST 2013


On Thu, Aug 22, 2013 at 04:16:51PM +0000, Michael Smith (DF) wrote:
> Or another option, is there any good DNS based RBLs for botnet IPs, 
> and is there any way to tie that in to the dovecot auth system?  
> I've been looking for botnet rbls, but what I've found so far 
> doesn't seem to work very well.  Most of the IPs that I've had to 
> firewall don't exist in them.

I guess I would first have tried Spamhaus XBL, but I guess you 
checked that already.

The problem with using XBL, anyway, is that you might have legitimate 
logins from listed hosts. Example: a traveler using hotel wifi. We 
(TINW) really would need a new DNSBL type (or a special result) for 
this sort of abuse.

It's a nice idea, worth building upon, if someone can fund it (or 
find the time to develop it, which really amounts to the same thing.) 
Imagine also a Dovecot network of reporters, where brute force 
attempts worldwide are reported from Dovecots to the DNSBL, not 
merely a one-way tie in.

I'd also suggest listing SSH brute force attacks in the same DNSBL, 
possibly with a different result (127.0.0.$port, so IMAP attackers 
list as 127.0.0.143, SSH attackers as 127.0.0.22. Yes, we'd have to 
incorporate the third quad for ports > 255, but the general idea is 
for result codes to be both machine and human readable as much as 
possible.)
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:


More information about the dovecot mailing list