Recommendations on intrusion prevention/detection?
Joseph Tam
jtam.home at gmail.com
Thu Apr 23 00:28:00 EEST 2020
On Wed, 22 Apr 2020, Johannes Rohr wrote:
> It is a pity that the IMAP protocol does not support 2 factor
> authentication, which seems to stop 90% of intrusion attempts in their
> tracks.
You could use VPN, which can enforce 2FA.
You can hack 2FA into IMAP or any protocol where you can control
the backend authenticator. It's easier with time-based OTP
(TOTP) token generators. Authenticate using the usual username and the
concatenation of (user-password)(otp-token), then invalidate the opt-token
to foil replay-attacks.
The backend will have to split the credentials into individual factors
that can be checked separately.
> Is there a reasonable way of detecting and preventing logins from
> unusual IP ranges? Or are there other strategies you would recommend?
Start by defining "unusual". Once you have a characterization of unusual,
implement the detection. For example,
- more than <n> failures?
- attempt to authenticate to non-existent generic accounts e.g. "root"?
- weird time of day?
- authentication from implausible geographic regions? (e.g. Chad)?
- logins from mutiple geolocation in short time frames?
As the saying goes regarding the value of prevention vs cure, enforce
good security habits for your users: password strength, endpoint malware
protection, skepticism, etc.
Joseph Tam <jtam.home at gmail.com>
More information about the dovecot
mailing list