Re: dictionary attack defense

Wed, 22 Oct 2014 01:56:53 -0700 


Am 22.10.2014 um 05:59 schrieb Cliff Hayes:

a) I read about auth_failure_delay even before I posted my question and
I could not figure out the one-line explanation in the dovecot wiki:
"Number of seconds to delay before replying to failed authentications."
  It's delaying a reply.  Does that mean the hacker can keep asking as
fast as he wants?  Is it per user or per IP?


it does not help him to ask fast
he needs responses too and can't open endless connections parallel


b) I'm familiar with mail_max_userip_connections = x, but I'm not
familiar with the time limit you mention.


iptables


    0     0 REJECT     tcp  --  eth0   *      !192.168.196/24 
0.0.0.0/0            multiport dports 110,143,993,995 ctstate NEW 
recent: UPDATE seconds: 1800 hit_count: 100 name: dovecot2 side: source 
mask:

 255.255.255.255 reject-with icmp-port-unreachable

    4   256 REJECT     tcp  --  eth0   *      !192.168.196/24 
0.0.0.0/0            multiport dports 110,143,993,995 ctstate NEW 
recent: UPDATE seconds: 300 hit_count: 50 name: dovecot1 side: source 
mask: 2

55.255.255.255 reject-with icmp-port-unreachable

    0     0 REJECT     tcp  --  eth0   *      !192.168.196/24 
0.0.0.0/0            multiport dports 25,465,587 ctstate NEW recent: 
UPDATE seconds: 1800 hit_count: 75 name: postfix2 side: source mask: 255.2

55.255.255 reject-with icmp-port-unreachable

    9   448 REJECT     tcp  --  eth0   *      !192.168.196/24 
0.0.0.0/0            multiport dports 25,465,587 ctstate NEW recent: 
UPDATE seconds: 300 hit_count: 40 name: postfix1 side: source mask: 255.25

5.255.255 reject-with icmp-port-unreachable

    0     0 DROP       udp  --  eth0   *      !192.168.196/24 
0.0.0.0/0            ctstate NEW recent: UPDATE seconds: 2 hit_count: 75 
name: udpflood side: source mask: 255.255.255.255
    0     0 DROP       tcp  --  eth0   *      !192.168.196/24 
0.0.0.0/0            ctstate NEW recent: UPDATE seconds: 2 hit_count: 75 
name: DEFAULT side: source mask: 255.255.255.255
    0     0 DROP       tcp  --  eth0   *      !192.168.196/24 
0.0.0.0/0            multiport dports 25,80,443,465,587 tcp 
flags:0x17/0x02 #conn src/32 > 75
    0     0 DROP       tcp  --  eth0   *      !192.168.196/24 
0.0.0.0/0            multiport dports 25,80,443,465,587 tcp 
flags:0x17/0x02 #conn src/24 > 150
    0     0 DROP       tcp  --  eth0   *      !192.168.196/24 
0.0.0.0/0            multiport dports 25,80,443,465,587 tcp 
flags:0x17/0x02 #conn src/16 > 175
    0     0 DROP       tcp  --  eth0   *      !192.168.196/24 
0.0.0.0/0            multiport dports 25,80,443,465,587 tcp 
flags:0x17/0x02 #conn src/8 > 200



On 10/21/2014 5:02 PM, Reindl Harald wrote:



Am 21.10.2014 um 23:28 schrieb Cliff Hayes:

Does dovecot have any dictionary attack defenses yet?
In the past I have had to implement defense from outside dovecot, but
since dovecot is at the front lines and therefore is the first to know
I'm hoping by now there is something we can set.  For example, a limit
on access failures per minut/hour/day or some such.  If not why not?


no - but you can set "auth_failure_delay = 5" and limit new connections
per IP to something around 40 per 5 minutes and 100 per 30 minutes which
stops many of them or at least limit the amount of tries dramatically





Attachment:
signature.asc

Description: OpenPGP digital signature






















					Reply via email to