under some kind of attack

Joseph Tam jtam.home at gmail.com
Thu Jul 20 23:54:24 EEST 2017


> I would like to  create a fail2ban filer, that scans for these lines:
>
>> Jul 20 11:10:09 auth: Info: ldap(user1,60.166.35.162,<cDFXHbxUQgA8piOi>): invalid credentials (given password: password)
>> Jul 20 11:10:19 auth: Info: ldap(user2,61.53.66.4,<V+nyHbxU+wA9NUIE>): invalid credentials (given password: password)
>
> (as you can see, I have enabled auth_verbose_passwords to do this,
> making me very uncomfortable...)
>
> Anyway: since there are only a few password variations, I would like to
> block anyone using those passwords.

With all the constraints and processing, I'll offer yet another option:
use the checkpassword password authentication scheme.  This will bypass
post-authentcation log-sniffing and allow you direct access to username,
password and client IP (the last I'm not positive about) at authentication
time.

Now you'll have everything you need to do any wild and crazy auth
processing, including database searches and triggering firewall blocking
based on whatever crietria you want (including common password use).

As to how to integrate it into your dovecot, I'm not sure whether it's
best to supplant the LDAP method and authenticate within the checkpassword
script, or to put it as the first authentication method (ahead of LDAP)
to get first crack at inspect at authentication data, or the fallback
authentication method (after LDAP) to pick up all the failures.

However, after running honeypots, I can tell you that although BFD
attackers will common use passwords, any static list of abused passwords
will miss a lot.  (A common one they use is $password=variations($user)
or variation($domain)).  Number of auth failure limits should also be
a criteria for banning.  Extinct users are also good candidates for
instant banning.

Joseph Tam <jtam.home at gmail.com>


More information about the dovecot mailing list