[Dovecot] catching authentication failures with LDAP backend

Sat, 06 Dec 2008 06:52:47 -0800 

Hi,
we have recently been hit by a couple of brute force password attacks against dovecot. So what I want to do now is to add dovecot to fail2ban in order to block further attacks. 


However, I don't seem to be able to find out password verifification 
failures for our LDAP based user data.


The only thing I see are loads of lines like these in the logfiles:

-------CUT-------

dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=<ludovic>, 
method=PLAIN, rip=217.147.235.52, lip=81.16.98.99
dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=<luna>, 
method=PLAIN, rip=217.147.235.52, lip=81.16.98.99
dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=<luke>, 
method=PLAIN, rip=217.147.235.52, lip=81.16.98.99

-------CUT-------


Googling the web I found that PAM based authentication obviously gives a 
matchable error message, but for some reasons the ldap backend does not 
- or does it?


Any pointers highly appreciated :-)

dovecot -n says this:

-------CUT-------
# 1.0.15: /etc/dovecot/dovecot.conf
log_path: /var/log/dovecot.log
protocols: imaps imap pop3
listen: 81.16.98.99
ssl_listen(default): 81.16.98.99
ssl_listen(imap): 81.16.98.99
ssl_listen(pop3):
ssl_cert_file: /etc/bestsolution/ssl/mail.bestsolution.at-cert.pem
ssl_key_file: /etc/bestsolution/ssl/mail.bestsolution.at-key.pem
ssl_parameters_regenerate: 24
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
first_valid_uid: 9
mail_access_groups: mail
mail_privileged_group: mail
default_mail_env: mbox:~/mail/:INBOX=/var/mail/%u
mail_location: mbox:~/mail/:INBOX=/var/mail/%u
mmap_disable: yes
lock_method: dotlock
maildir_copy_with_hardlinks: yes
mail_executable(default): /usr/lib/dovecot/imap
mail_executable(imap): /usr/lib/dovecot/imap
mail_executable(pop3): /usr/lib/dovecot/pop3
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
pop3_uidl_format(default):
pop3_uidl_format(imap):
pop3_uidl_format(pop3): %v.%u
auth default:
  mechanisms: plain digest-md5 cram-md5 login
  passdb:
    driver: ldap
    args: /etc/dovecot/dovecot-ldap.conf
  userdb:
    driver: ldap
    args: /etc/dovecot/dovecot-ldap.conf
  socket:
    type: listen
    client:
      path: /var/spool/postfix/private/auth
      mode: 432
      user: postfix
      group: postfix
-------CUT-------

--
Udo Rader, CTO
http://www.bestsolution.at






















					Reply via email to