log failed plaintext password for specific user only

Joseph Tam jtam.home at gmail.com
Wed Mar 23 21:22:31 UTC 2022


On Wed, 23 Mar 2022, mj wrote:

> We are currently observing a high number of failed authentications for a 
> specific user, coming from *many* diffirent IPs across the globe, with most 
> IPs only trying once or twice, making this difficult to block. The number of 
> failed authentications cause this account to regularly become blocked in AD.
>
> We would like to know if they are trying older actual passwords from the 
> user, or if it's just dictionary attack.

Rather than messing around with dovecot configuration, I think you can
process trace (strace?) the auth process and intercept read/write buffers
to a few key low numbered sockets and extract username/plaintext passwords from
them, filtering out those you don't need.

Sort of hacky, buy avoid messing about with dovecot, or even restarting
it.

You can possibly extend this by taking the auth information, and triggering
a block if you recongize it as a dictionary attack, but it may be too
late as your AD will see it by that point.

Joseph Tam <jtam.home at gmail.com>


More information about the dovecot mailing list