Re: [Dovecot] Under POP attack - now to prevent?
On Tue, Jun 30, 2009 at 05:23:18PM +1000, James Brown wrote: > > Any regex experts out there that can help me set up Fail2Ban to stop > this? > > Jun 5 11:48:20 mail dovecot[2620]: pop3-login: Aborted login (auth > failed, 1 attempts): user=, method=PLAIN, rip=85.189.169.94, > lip=192.168.1.9 [...] Here's what I use which will get those and others. [Definition] failregex = Aborted login \(.*\): .*rip=, Disconnected \(tried to use disabled.*\): .*rip=, warning:.*\[\]: SASL [^ ]+ authentication failed: That goes in /etc/fail2ban/filter.d/dovecotlogin.local, and in /etc/fail2ban/jail.local I have [dovecot-local] enabled = true filter = dovecotlogin action = iptables-allports[name=DOVECOT, protocol=all] logpath = /var/log/maillog -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan
Re: [Dovecot] Under POP attack - now to prevent?
On 05/06/2009, at 4:19 PM, James Brown wrote: Thanks to Curtis and others who replied. I managed to block the IP at our Firewall (learnt a few quirky things about Astaro Security Gateway on the way!) In order to automate the process, Fail2Ban has been suggested. I know this is getting a bit off topic, but has anyone installed in Mac OS X 10.5.7? There is a how-to for 10.4 ( HOWTO Mac OS X Server (10.4) - Fail2ban )- does this work unchanged in 10.5? Anyone managed to get Fail2Ban working on Leopard with Dovecot 1.2 RC4? I'll answer my own question! There is a OS X Installer file at: LSA Mac OS X Ported and Developed Software | LSA Information Technology | University of Michigan Any regex experts out there that can help me set up Fail2Ban to stop this? Jun 5 11:48:20 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:24 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:24 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:25 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:27 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:28 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:30 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:31 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Many thanks, James.
Re: [Dovecot] Under POP attack - now to prevent?
* James Brown : > Looks like we are under a dictionary login attack on our POP server: ... > Any suggestions on how to prevent this? apt-get install fail2ban -- Ralf Hildebrandt Postfix - Einrichtung, Betrieb und Wartung Tel. +49 (0)30-450 570-155 http://www.computerbeschimpfung.de May's Law: The quality of correlation is inversely proportional to the density of control. (The fewer data points, the smoother the curves.)
Re: [Dovecot] Under POP attack - now to prevent?
Am Freitag, den 05.06.2009, 02:26 -0400 schrieb Timo Sirainen: > On Jun 5, 2009, at 2:07 AM, henry ritzlmayr wrote: > > > Interesting for me is that you are on v1.2RC4. Timo wrote yersterday > > that with v1.2+ after every login failure the delay for the next > > attempt > > should grow. When I take a look at your timestamps this is obviously > > not > > working on your system. > > That's because the client disconnects between attempts. Currently the > delay increase is done only within a single session. > Ok, if thats so please really consider the possibility to disconnect a user if he/she provides the wrong credentials. Otherwise we would have to deal with two kinds of attackers on two places. The ones which don't disconnect themselves would have to be handled by dovecot (growing delay) and the ones which disconnect would have to be handled by firewall/fail2ban etc. I personally prefer (I'm sure you figured that already) a centralized approach on the firewall. Have a nice trip to frisco Henry
Re: [Dovecot] Under POP attack - now to prevent?
On Jun 5, 2009, at 2:07 AM, henry ritzlmayr wrote: Interesting for me is that you are on v1.2RC4. Timo wrote yersterday that with v1.2+ after every login failure the delay for the next attempt should grow. When I take a look at your timestamps this is obviously not working on your system. That's because the client disconnects between attempts. Currently the delay increase is done only within a single session.
Re: [Dovecot] Under POP attack - now to prevent?
Am Freitag, den 05.06.2009, 12:04 +1000 schrieb James Brown: > Looks like we are under a dictionary login attack on our POP server: > > Jun 5 11:48:20 mail dovecot[2620]: pop3-login: Aborted login (auth > failed, 1 attempts): user=, method=PLAIN, rip=85.189.169.94, > lip=192.168.1.9 Since the attacker is playing nice you could also limit the maximum connection attempts to the pop3 port in a given timeframe. And if that limit is reached block the ip for a certain amount of time. If you firewall with netfilter, hashlimit is your friend. Interesting for me is that you are on v1.2RC4. Timo wrote yersterday that with v1.2+ after every login failure the delay for the next attempt should grow. When I take a look at your timestamps this is obviously not working on your system. Henry
Re: [Dovecot] Under POP attack - now to prevent?
James Brown wrote: Jun 5 11:48:32 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Any suggestions on how to prevent this? Using Dovecot 1.2RC4 Route that address to localhost? Works here :) There are various automated tools, like fail2ban, which can help with this -- if you're using a setup they can hook into. -- Curtis Maloney cmalo...@cardgate.net
[Dovecot] Under POP attack - now to prevent?
Looks like we are under a dictionary login attack on our POP server: Jun 5 11:48:20 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:24 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:24 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:25 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:27 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:28 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:30 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:31 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:31 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:32 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Any suggestions on how to prevent this? Using Dovecot 1.2RC4 Thanks, James.