On Tue, 24 May 2022, Hippo Man wrote:
Late to this party.
* Hacker makes numerous login attempts one after the other with various
passwords, and without disconnecting in between attempts. I've seen 10 and
more of these repeated attempts rapidly during a single imap or pop3
connection.
Maybe this settings helps?
auth_failure_delay = 5 secs
I get lots of BFD, and although they have no chance of guessing a password
this way, it produces an annoying amount of rubbish in my logs. This slow
them down to either reduce the volume of attempts (and logs), but also
gives you ample time to enact a countermeasure.
I will get the latest dovecot source code and modify it so that dovecot
will disconnect after "N" failed imap or pop3 login attacks, where "N" is
some sort of configuration variable (with a default of zero, meaning do not
disconnect). I will then use this personal version of dovecot with "N" set
to a fairly low value (probably 1!).
1, in my opinion, is really too low. This can lockout a legitimate user
with a simple typo, or network hiccough.
It would be better to externalize this, rather than bake it into dovecot.
Have you considered
https://doc.dovecot.org/configuration_manual/authentication/auth_policy/
Furthermore, I will continue to automatically monitor the logs and
perform the same iptables DROP actions for the failed login attempts.
The combination of these two actions will give me the behavior that I
desire.
You can also preempt many BFD runs without resorting to one-strike-you're-out
policy
1) Look up connecting host in RBL and do a prememptive block
e.g. bl.websitewelcome.com, bl.blocklist.de, dnsbl.darklist.de
are some examples of brute force DNSRBLs. You'll find many of
attacking IPs are represented on one of these lists.
2) Triggerimmediate block against authentication attempts that
can not possibly be real (e.g. "mysql", "testuser", "nagios", etc.)
Joseph Tam <jtam.h...@gmail.com>
