Re: under another kind of attack
> On 26 Jul 2017, at 7:57 pm, Olaf Hopp wrote: > > Dear collegues, > > many thanks for your valuable input. > > Since we are an university GEO-IP blocking is not an option for us. > Somestimes I think it should ;-) > > My "mistake" was that I had just *one* fail2ban filter for both cases: > "wrong password" and "unknown user". > > Now I have two distinct jails: > The first one just for "wrong password" and here the findtime, bantime, > retries > are tolerant to typos. > > And I have a new one just for "unknown user" and here my bantime and findtime > are much bigger and the retries are just '2'. So here I'm much harsher. > I'll keep an eye on my logs and maybe some more twaeking is necessary. > > Another interesting observation: > I activated > auth_verbose_passwords = plain > to log the plain password when (and only when) there is "unknown user". > It reveals that all different IPs trying one unknown account always try with > the > same stupid password scheme 1234. So this doesn't look very well > coordinated between the bots ;-) Olaf, how do you do this only for the unknown user? Can you share the Dovecot settings? I’m under the same sort of slow distributed attack. Also the two fail2ban jails would be helpful. Thanks, James.
Re: failed to store into mailbox 'INBOX/Junk': Permission
From: Thomas Leuxner cat /etc/dovecot/dovecot-acl * user=book...@hotelsangiorgioriccione.com lrwsi * user=i...@hotelsangiorgioriccione.com lrwsi Hi Davide, For LMTP to file the mails you need to add the p flag (POST). Well, I've added the "p" flag and now I will monitor the situation ;-) PS Just as an additional note, just after making this change and reload Dovecot I have detected (oneshot) this error message: Jul 26 22:09:53 server dovecot: imap-login: Error: read(anvil) failed: EOF Jul 26 22:09:53 server dovecot: imap-login: Error: read(anvil) failed: EOF Jul 26 22:09:53 server dovecot: imap-login: Error: read(anvil) failed: EOF Jul 26 22:09:53 server dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF Jul 26 22:09:53 server dovecot: auth: Error: net_connect_unix(anvil-auth-penalty) failed: Permission denied Jul 26 22:09:53 server dovecot: imap-login: Error: read(anvil) failed: EOF Jul 26 22:09:53 server dovecot: imap-login: Error: read(anvil) failed: EOF Jul 26 22:09:53 server dovecot: imap-login: Error: read(anvil) failed: EOF Jul 26 22:09:53 server dovecot: imap-login: Error: read(anvil) failed: EOF But now everything seems to work well (let's hope) ;-) Many thanks Thomas!
Re: under another kind of attack
Olaf Hopp wrote: And I have a new one just for "unknown user" and here my bantime and findtime are much bigger and the retries are just '2'. So here I'm much harsher. I'll keep an eye on my logs and maybe some more twaeking is necessary. Just be careful about typos (like twaeking!): users could simply misspell their username, or get mixed up with some another account or alias. This is why I favour targetting known bad accounts, not merely accounts that don't exist. Joseph Tam
Re: under another kind of attack
On 26/07/2017 10:57, Olaf Hopp wrote: > I'll keep an eye on my logs and maybe some more twaeking is > necessary. Twerking? > So this doesn't look very well coordinated between the bots ;-) Bots are cheap - free, basically, because they are stolen. Most bruteforce attacks are crap; they try the same username/password pair on the same host over and over again. I would like to be able to signal to the bot "Dude, I do not accept username/password pairs - you need a keypair, so give it a rest". But the bots are dumb, because the economic advantage of building a smart one is zero. BTW: I don't think this is on-topic for Dovecot - we seem to be discussing mail-abuse abatement measures, which is a much more general topic. -- Jack.
Re: Return extra fields from passwd userdb
Thank you very much Steffen! It finally works! I have 2 ldap dbs in my system, the first for inetOrgPerson class and the second for system specific class attributes. So I introduce another userdb section: -- ## ## User databases ## # System users (NSS, /etc/passwd, or similiar). In many systems nowadays this # uses Name Service Switch, which is configured in /etc/nsswitch.conf. userdb { driver = ldap args = /var/etc/dovecot/dovecot-ldap.conf.ext result_success = continue-ok } userdb { driver = ldap args = /var/etc/dovecot/dovecot-mnusers-ldap.conf.ext } userdb { driver = passwd } --- and content of /var/etc/dovecot/dovecot-mnusers-ldap.conf.ext is: -- user_filter = (&(objectClass=AFASystems)(uid=%u)) user_attrs = \ =quota_rule=*:bytes=%{ldap:quotaBytes} --- Now if I run "doveadm user afasystems", the output is: field value uid 1040 gid 100 home/data/home/afasystems mailmaildir:~/.maildir quota_rule *:bytes=80M But if quotaBytes is empty in ldap, the output is: # doveadm user admin doveadm(root): Error: user admin: Initialization failed: Failed to initialize quota: Invalid quota root quota: Invalid rule *:bytes= : Invalid rule limit value 'bytes= ': Unknown unit: field value Is there a way in dovecot configuration to assign 0 (i.e. unlimited) to quota_rule if quotaBytes from ldap is empty? Thank you so much again! Il 21/07/2017 22:29, Steffen ha scritto: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Michele Petrella wrote: Hi, each user exists in one db. I changed configuration: # 2.2.29.1 (e0b76e3): /var/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.18 (29cc74d) # OS: Linux 3.10.55-gentoo i686 SuSE Linux 7.1 (i386) auth_debug = yes debug_log_path = /var/log/dovecot/dovecot_debug.log disable_plaintext_auth = no info_log_path = /var/log/state.mail/dovecot.pipe log_path = /var/log/dovecot/dovecot.log mail_debug = yes mail_gid = users mail_location = maildir:~/.maildir mail_plugins = acl quota mail_shared_explicit_inbox = yes mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave duplicate namespace { list = yes location = maildir:/data/home/vmail/public prefix = Public/ separator = / subscriptions = no type = public } namespace { list = children location = maildir:/data/home/%%n/.maildir:INDEX=~/.maildir/shared/%%u prefix = Shared/%%u/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes list = yes location = mailbox Cestino { special_use = \Trash } mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox "Posta inviata" { special_use = \Sent } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = / subscriptions = yes type = private } passdb { args = /etc/dovecot/passwd.masterusers driver = passwd-file master = yes } passdb { args = /var/etc/dovecot/dovecot-ldap.conf.ext driver = ldap } passdb { driver = passwd skip = authenticated } plugin { acl = vfile:/etc/dovecot/acl:cache_secs=300 acl_shared_dict = file:/var/lib/dovecot-dict/shared-mailboxes quota = maildir:User quota quota_rule = *:storage=5M quota_rule2 = Trash:storage=+100M quota_rule3 = SPAM:ignore sieve = ~/.dovecot.sieve sieve_before = /var/etc/dovecot/sieve/general/ sieve_dir = ~/sieve sieve_execute_bin_dir = /usr/local/bin/dovecot/sieve-execute sieve_filter_bin_dir = /usr/local/bin/dovecot/sieve-filter sieve_global_dir = /var/etc/dovecot/sieve/global/ sieve_global_extensions = +vnd.dovecot.execute +vnd.dovecot.filter +vnd.dovecot.pipe +editheader sieve_pipe_bin_dir = /usr/local/bin/dovecot/sieve-pipe sieve_plugins = sieve_extprograms } protocols = imap pop3 lmtp sieve service auth { unix_listener auth-userdb { group = users } } service imap-postlogin { executable = script-login /usr/local/bin/imap-postlogin.sh user = $default_internal_user } service imap { executable = imap imap-postlogin } ssl_cert = Well, first try this: doveadm user afasystems All extra fields should be displayed (quotaByte only in your example). Then verify that this user has quotaBytes at all ldapsearch -B ou=mnusers,dc=majornet,dc=local user=afasystems quotaBytes Then look here: https://wiki2.dovecot.org/AuthDatabase/LDAP/Userdb user_attrs = \ =home=%{ldap:homeDirectory}, \ =uid=%{ldap:uidNumber}, \ =gid=%{ldap:gidNumber} all mappings using %{ldap:...} have a "=" prefixed before the settings name Then re-try doveadm user No e
Re: under another kind of attack
Dear collegues, many thanks for your valuable input. Since we are an university GEO-IP blocking is not an option for us. Somestimes I think it should ;-) My "mistake" was that I had just *one* fail2ban filter for both cases: "wrong password" and "unknown user". Now I have two distinct jails: The first one just for "wrong password" and here the findtime, bantime, retries are tolerant to typos. And I have a new one just for "unknown user" and here my bantime and findtime are much bigger and the retries are just '2'. So here I'm much harsher. I'll keep an eye on my logs and maybe some more twaeking is necessary. Another interesting observation: I activated auth_verbose_passwords = plain to log the plain password when (and only when) there is "unknown user". It reveals that all different IPs trying one unknown account always try with the same stupid password scheme 1234. So this doesn't look very well coordinated between the bots ;-) Regards, Olaf On 07/25/2017 04:37 PM, Olaf Hopp wrote: Hi folks, "somehow" similar to the thread "under some kind oof attack" started by "MJ": I have dovecot shielded by fail2ban which works fine. But since a few days I see many many IPs per day knocking on my doors with wron password and/or users. But the rate at which they are knocking is very very low. So fail2ban will never catch them. For example one IP: Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): pam(eurodisc,101.231.247.210,): unknown user Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): pam(gergei,101.231.247.210,): pam_authenticate() failed: Authentication failure (password mismatch?) Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): pam(icpe,101.231.247.210,): unknown user Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,): unknown user Note the timestamps. If I look the other way round (tries to one account) I'll get Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): pam(endsulei,60.166.12.117,): unknown user Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): pam(endsulei,222.243.211.200,): unknown user Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): pam(endsulei,222.84.118.83,): unknown user Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,): unknown user Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): pam(endsulei,206.214.0.120,): unknown user Also note the timestamps! And I see many many distinct IPs per day (a few hundred) trying many many existing and non-existings accounts. As you see in the timestamps in my examples, this can not be handled by fail2ban without affecting regular users with typos. Is anybody observing something similar ? Anybody an idea against this ? Many of these observed IPs are chinese mobile IPs, if this matters. But we have also chinese students and researchers all abroad. Regards, Olaf -- Karlsruher Institut für Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik Dipl.-Geophys. Olaf Hopp - Leitung IT-Dienste - Am Fasanengarten 5, Gebäude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: olaf.h...@kit.edu atis.informatik.kit.edu www.kit.edu KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert. smime.p7s Description: S/MIME Cryptographic Signature
Re: failed to store into mailbox 'INBOX/Junk': Permission denied
* Davide Marchi 2017.07.26 10:25: > cat /etc/dovecot/dovecot-acl > * user=book...@hotelsangiorgioriccione.com lrwsi > * user=i...@hotelsangiorgioriccione.com lrwsi Hi Davide, For LMTP to file the mails you need to add the p flag (POST). Regards Thomas signature.asc Description: PGP signature
Re: failed to store into mailbox 'INBOX/Junk': Permission denied
Steffen Kaiser ha scritto: Does INBOX/Junk already exists? Yes, (but empty): find /var/vmail/hotelsangiorgioriccione.com/info/ |grep INBOX /var/vmail/hotelsangiorgioriccione.com/info/Maildir/.INBOX /var/vmail/hotelsangiorgioriccione.com/info/Maildir/.INBOX/Trash /var/vmail/hotelsangiorgioriccione.com/info/Maildir/.INBOX/Trash/new /var/vmail/hotelsangiorgioriccione.com/info/Maildir/.INBOX/Trash/tmp /var/vmail/hotelsangiorgioriccione.com/info/Maildir/.INBOX/Trash/cur /var/vmail/hotelsangiorgioriccione.com/info/Maildir/.INBOX/Trash/maildirfolder /var/vmail/hotelsangiorgioriccione.com/info/Maildir/.INBOX/Trash/dovecot.index.log /var/vmail/hotelsangiorgioriccione.com/info/Maildir/.INBOX/Junk /var/vmail/hotelsangiorgioriccione.com/info/Maildir/.INBOX/Junk/new /var/vmail/hotelsangiorgioriccione.com/info/Maildir/.INBOX/Junk/tmp /var/vmail/hotelsangiorgioriccione.com/info/Maildir/.INBOX/Junk/cur /var/vmail/hotelsangiorgioriccione.com/info/Maildir/.INBOX/Junk/maildirfolder /var/vmail/hotelsangiorgioriccione.com/info/Maildir/.INBOX/Junk/dovecot.index.log and same for other v-user "booking" What's in your ACL file? cat /etc/dovecot/dovecot-acl * user=book...@hotelsangiorgioriccione.com lrwsi * user=i...@hotelsangiorgioriccione.com lrwsi What does these commands return? doveadm acl debug -u i...@hotelsangiorgioriccione.com INBOX doveadm acl debug -u i...@hotelsangiorgioriccione.com INBOX/Junk doveadm acl debug -u i...@hotelsangiorgioriccione.com INBOX doveadm(i...@hotelsangiorgioriccione.com): Info: Mailbox 'INBOX' is in namespace '' doveadm(i...@hotelsangiorgioriccione.com): Info: Mailbox path: /var/vmail/hotelsangiorgioriccione.com/info/Maildir doveadm(i...@hotelsangiorgioriccione.com): Info: All message flags are shared across users in mailbox doveadm(i...@hotelsangiorgioriccione.com): Info: User i...@hotelsangiorgioriccione.com has rights: lookup read write write-seen insert doveadm(i...@hotelsangiorgioriccione.com): Info: Mailbox in user's private namespace doveadm(i...@hotelsangiorgioriccione.com): Info: Mailbox INBOX is visible in LIST doveadm acl debug -u i...@hotelsangiorgioriccione.com INBOX/Junk doveadm(i...@hotelsangiorgioriccione.com): Info: Mailbox 'INBOX/Junk' is in namespace '' doveadm(i...@hotelsangiorgioriccione.com): Info: Mailbox path: /var/vmail/hotelsangiorgioriccione.com/info/Maildir/.INBOX/Junk doveadm(i...@hotelsangiorgioriccione.com): Info: All message flags are shared across users in mailbox doveadm(i...@hotelsangiorgioriccione.com): Info: User i...@hotelsangiorgioriccione.com has rights: lookup read write write-seen insert doveadm(i...@hotelsangiorgioriccione.com): Info: Mailbox in user's private namespace doveadm(i...@hotelsangiorgioriccione.com): Info: Mailbox INBOX/Junk is visible in LIST Many thanks Steffen!