[Dovecot] catching authentication failures with LDAP backend
Hi, we have recently been hit by a couple of brute force password attacks against dovecot. So what I want to do now is to add dovecot to fail2ban in order to block further attacks. However, I don't seem to be able to find out password verifification failures for our LDAP based user data. The only thing I see are loads of lines like these in the logfiles: ---CUT--- dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=ludovic, method=PLAIN, rip=217.147.235.52, lip=81.16.98.99 dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=luna, method=PLAIN, rip=217.147.235.52, lip=81.16.98.99 dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=luke, method=PLAIN, rip=217.147.235.52, lip=81.16.98.99 ---CUT--- Googling the web I found that PAM based authentication obviously gives a matchable error message, but for some reasons the ldap backend does not - or does it? Any pointers highly appreciated :-) dovecot -n says this: ---CUT--- # 1.0.15: /etc/dovecot/dovecot.conf log_path: /var/log/dovecot.log protocols: imaps imap pop3 listen: 81.16.98.99 ssl_listen(default): 81.16.98.99 ssl_listen(imap): 81.16.98.99 ssl_listen(pop3): ssl_cert_file: /etc/bestsolution/ssl/mail.bestsolution.at-cert.pem ssl_key_file: /etc/bestsolution/ssl/mail.bestsolution.at-key.pem ssl_parameters_regenerate: 24 disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable(default): /usr/lib/dovecot/imap-login login_executable(imap): /usr/lib/dovecot/imap-login login_executable(pop3): /usr/lib/dovecot/pop3-login first_valid_uid: 9 mail_access_groups: mail mail_privileged_group: mail default_mail_env: mbox:~/mail/:INBOX=/var/mail/%u mail_location: mbox:~/mail/:INBOX=/var/mail/%u mmap_disable: yes lock_method: dotlock maildir_copy_with_hardlinks: yes mail_executable(default): /usr/lib/dovecot/imap mail_executable(imap): /usr/lib/dovecot/imap mail_executable(pop3): /usr/lib/dovecot/pop3 mail_plugin_dir(default): /usr/lib/dovecot/modules/imap mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3 pop3_uidl_format(default): pop3_uidl_format(imap): pop3_uidl_format(pop3): %v.%u auth default: mechanisms: plain digest-md5 cram-md5 login passdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf userdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix ---CUT--- -- Udo Rader, CTO http://www.bestsolution.at
Re: [Dovecot] catching authentication failures with LDAP backend
Udo Rader schrieb: Hi, we have recently been hit by a couple of brute force password attacks against dovecot. So what I want to do now is to add dovecot to fail2ban in order to block further attacks. However, I don't seem to be able to find out password verifification failures for our LDAP based user data. The only thing I see are loads of lines like these in the logfiles: ---CUT--- dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=ludovic, method=PLAIN, rip=217.147.235.52, lip=81.16.98.99 dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=luna, method=PLAIN, rip=217.147.235.52, lip=81.16.98.99 dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=luke, method=PLAIN, rip=217.147.235.52, lip=81.16.98.99 ---CUT--- Googling the web I found that PAM based authentication obviously gives a matchable error message, but for some reasons the ldap backend does not - or does it? Any pointers highly appreciated :-) Solved it myself, adding changing to auth_verbose = yes in dovecot.conf solved it. Any reasons why this isn't enabled by default? -- Udo Rader, CTO http://www.bestsolution.at
Re: [Dovecot] catching authentication failures with LDAP backend
Udo Rader wrote: Udo Rader schrieb: Hi, we have recently been hit by a couple of brute force password attacks against dovecot. So what I want to do now is to add dovecot to fail2ban in order to block further attacks. However, I don't seem to be able to find out password verifification failures for our LDAP based user data. The only thing I see are loads of lines like these in the logfiles: ---CUT--- dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=ludovic, method=PLAIN, rip=217.147.235.52, lip=81.16.98.99 dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=luna, method=PLAIN, rip=217.147.235.52, lip=81.16.98.99 dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=luke, method=PLAIN, rip=217.147.235.52, lip=81.16.98.99 ---CUT--- Googling the web I found that PAM based authentication obviously gives a matchable error message, but for some reasons the ldap backend does not - or does it? Any pointers highly appreciated :-) Solved it myself, adding changing to auth_verbose = yes in dovecot.conf solved it. Any reasons why this isn't enabled by default? Because it's a debugging switch. ~Seth
Re: [Dovecot] catching authentication failures with LDAP backend
Udo Rader schrieb: Udo Rader schrieb: Hi, we have recently been hit by a couple of brute force password attacks against dovecot. So what I want to do now is to add dovecot to fail2ban in order to block further attacks. However, I don't seem to be able to find out password verifification failures for our LDAP based user data. The only thing I see are loads of lines like these in the logfiles: ---CUT--- dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=ludovic, method=PLAIN, rip=217.147.235.52, lip=81.16.98.99 dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=luna, method=PLAIN, rip=217.147.235.52, lip=81.16.98.99 dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=luke, method=PLAIN, rip=217.147.235.52, lip=81.16.98.99 ---CUT--- Googling the web I found that PAM based authentication obviously gives a matchable error message, but for some reasons the ldap backend does not - or does it? Any pointers highly appreciated :-) Solved it myself, adding changing to auth_verbose = yes in dovecot.conf solved it. Any reasons why this isn't enabled by default? And, on a final note, it would be good if authentication failures (password mismatch, unknown user etc.) got a higher log priority (ie warn), so that those failures can be filtered more easily. -- Udo Rader, CTO http://www.bestsolution.at
Re: [Dovecot] catching authentication failures with LDAP backend
Seth Mattinen schrieb: Udo Rader wrote: Udo Rader schrieb: Hi, we have recently been hit by a couple of brute force password attacks against dovecot. So what I want to do now is to add dovecot to fail2ban in order to block further attacks. However, I don't seem to be able to find out password verifification failures for our LDAP based user data. The only thing I see are loads of lines like these in the logfiles: ---CUT--- dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=ludovic, method=PLAIN, rip=217.147.235.52, lip=81.16.98.99 dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=luna, method=PLAIN, rip=217.147.235.52, lip=81.16.98.99 dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=luke, method=PLAIN, rip=217.147.235.52, lip=81.16.98.99 ---CUT--- Googling the web I found that PAM based authentication obviously gives a matchable error message, but for some reasons the ldap backend does not - or does it? Any pointers highly appreciated :-) Solved it myself, adding changing to auth_verbose = yes in dovecot.conf solved it. Any reasons why this isn't enabled by default? Because it's a debugging switch. hmm, that's weird then. Without turning on this debugging switch (LDAP) authentication failures are not logged, so that's a pretty essential functionality missing then. -- Udo Rader, CTO http://www.bestsolution.at
