Force TCP socket disconnect on imap login failure?
John Hardin
jhardin at impsec.org
Wed May 25 01:55:36 UTC 2022
On Tue, 24 May 2022, Hippo Man wrote:
> I have already been doing the following for the past year or so: as soon as
> I detect (via my own, homegrown fail2ban-like log monitoring utility) what
> I deem to be attempts to log in via imap or pop3 with a dictionary password
> attack, I immediately do a DROP via iptables. Yes, this will block all
> future connection attemps from the same host, but unfortunately, it doesn't
> stop the following scenario, which regularly occurs on my server ...
>
> * Hacker connects via imap or pop3 to my server.
> * Hacker makes numerous login attempts one after the other with various
> passwords, and without disconnecting in between attempts. I've seen 10 and
> more of these repeated attempts rapidly during a single imap or pop3
> connection.
>
> Simply using iptables to DROP or REJECT the connection does not prevent
> those repeated login attempts during the original imap or pop3 session.
> Again, this only prevents *future* connections via that host.
It should block all subsequent packets received from that IP address,
immediately. An in-process connection would appear (to the client) to
hang.
Either there is an ACCEPT rule for related traffic somewhere in the chain
before your new DROP rule, which is matching first and allowing the
existing connection's packets through, or your DROP rule is malformed and
not actually matching the traffic.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
724 days since the first private commercial manned orbital mission (SpaceX)
More information about the dovecot
mailing list