<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Just a few comments.<br>
<br>
- The below commands drops ALL future connections to the IMAP ports
and not just the one from that specific IP address. <br>
- It all depends on the ordering of the rest of your iptables rules.
A lot of iptables setups have an accept related / established in the
top of the INPUT chain and then indeed the traffic will continue as
long as the connection is established. If you put a correct drop
rule in the top of your iptables INPUT chain it will block all
traffic including any related/established.<br>
<br>
Fail2Ban is able to insert such a drop rule in the top of the INPUT
chain and thereby block all further tries.<br>
This is exactly how I have setup my fail2ban and it works.<br>
<br>
The first few lines of my iptables input chain look like this:<br>
<br>
29M 2249M f2b-dovecot tcp -- * *
0.0.0.0/0 0.0.0.0/0 multiport dports
110,143,993,995<br>
9969K 2545M f2b-sasl tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 25,465<br>
9691K 2788M ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0 <br>
134M 257G ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED<br>
<br>
Jan Hugo Prins<br>
<br>
<br>
<div class="moz-cite-prefix">On 5/23/22 23:16, Hippo Man wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAK1LP6nqpGny6dAdZT54CBL=95XJ4c9yjZR7Uec_az1TP5BUdA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div>OOPS! I incorrectly copied and pasted the iptables command
in my previous message. Here is the correct iptables command:<br>
<br>
iptables -I INPUT -p tcp -m multiport --destination-port
143,993 -d aaa.bbb.ccc.ddd -j DROP</div>
<div><br>
</div>
<div>This command successfully blocks *future* connections to
ports 143 and 993 from that IP address, but as I mentioned, it
doesn't kill the currently open connection.<br>
</div>
<div dir="ltr">
<div>
<div dir="ltr" class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div><br>
</div>
<div>-- <br>
<a href="mailto:hippoman@gmail.com" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">hippoman@gmail.com</a><br>
Take a hippopotamus to lunch today.<br>
</div>
</div>
</div>
</div>
<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, May 23, 2022 at 4:54
PM Hippo Man <<a href="mailto:hippoman@gmail.com"
moz-do-not-send="true" class="moz-txt-link-freetext">hippoman@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>Thank you, but fail2ban doesn't do what I need. Here
is why ...</div>
<div><br>
</div>
<div>I have used fail2ban and also my own homegrown log
monitor program for this purpose. In both cases, I can
detect the failed imap logins and then cause the
following command to be run ...</div>
<div><br>
</div>
<div>iptables -I INPUT -p tcp --destination-port
aaa.bbb.ccc.ddd -j DROP</div>
<div><br>
</div>
<div>However, this does not drop connections that are
existing and already open. It will only drop *future*
connections from that IP address to port 143.<br>
</div>
<div><br>
</div>
<div>This is why I want to kill the existing connection.
Even after that "iptables" command is issued, the entity
which is connected to the imap port can continue to send
more and more imap commands.</div>
<div><br>
</div>
<div>If I can drop the TCP connection as soon as an imap
login fails and also issue that kind of "iptables"
command, then the client would have to reconnect in
order to retry other login attempts. Those future
connections would then be successfully blocked by that
iptables rule.</div>
<div><br>
</div>
<div>And even if I issue a "tcpdrop" command instead of
just the "iptables" command, it doesn't kill the
already-open connection. It just force-blocks future
connections.</div>
<div><br>
</div>
<div>I'm thinking of patching the dovecot source code to
create a personal version which immediately disconnects
from the socket after login failure. Of course, I would
prefer not to do that, if there is another way to
accomplish this.<br>
</div>
<div>
<div>
<div dir="ltr">
<div dir="ltr">
<div><br>
</div>
<div>-- <br>
<a href="mailto:hippoman@gmail.com"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">hippoman@gmail.com</a><br>
Take a hippopotamus to lunch today.<br>
</div>
</div>
</div>
</div>
<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, May 23, 2022 at
4:24 PM Jan Hugo Prins <<a
href="mailto:jhp@jhprins.org" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">jhp@jhprins.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div> Look at fail2ban.<br>
Should be able to do that for you.<br>
<br>
Jan Hugo<br>
<br>
<br>
<div>On 5/23/22 21:11, Lloyd Zusman wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>I'm running dovecot 2.2.13 under Debian 8.</div>
<div>
<p>I'd like to force an immediate TCP socket
disconnect after any imap login attempt that
fails.</p>
<p>Right now, if invalid credentials are
supplied during an imap login, the client can
keep retrying logins with different
credentials. However, I want to prevent that
from occurring by causing the socket
connection to be closed as soon as there is
any failed login attempt.</p>
<p>I haven't been able to find any <code>dovecot</code>
configuration setting which could control this
behavior, but I'm hoping that I just missed
something.</p>
<p>Thank you very much for any suggestions.</p>
</div>
<div>
<div>
<div dir="ltr">
<div dir="ltr">
<div>-- <br>
<a href="mailto:hippoman@gmail.com"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">hippoman@gmail.com</a><br>
Take a hippopotamus to lunch today.<br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br>
</body>
</html>