Re: [Dovecot] stopping dictionary attacks (pop3)
Hi Noel,
Thank you for the hint. I've added what you suggested to the fail2ban
action.
I've had to resort to firewalling off the pop3 port to my ISP subnets
and any subnets of ISP's
I use when I am on the go.
This will work for me since it's a personal server with only a few
external users.
Operators of shared hosting servers certainly wont have that luxury.
I had no choice but to do this. Getting fail2ban to work effectively
with dovecot is like
trying to make a bad marriage work out.
So, it would appear that dovecot only logs multiple failed auth's for a
single session in ONE
line of text in a log failed, X attempts rather than X lines of
failures logged. This makes
fail2ban useless in this case. Since one can fail to auth 10 times in a
single session and fail2ban
will not pick it up.
Some feedback for the author, please try and improve things in this
area. I really cant see why some
functionality cannot be added as outlined in my original email, to
disconnect the session after X failed
attempts, and have a variable in a config file that allows some fine
tuning of that. It's not a lot of code to add,
you could probably do it in less than 10 lines of C.
Cheers.
A.
On 2013-09-03 14:34, Noel wrote:
On 9/2/2013 8:59 PM, ot...@ahhyes.net wrote:
Hi Guys,
I was really hoping a couple of years later this would be
addressed... I'm running Dovecot 2.2.5 on FreeBSD.
Is there anyway to limit the number of auth attempts allowed in a
single session? The reason for this is because I have fail2ban
setup to firewall out any IP addresses that repeatedly auth fails.
The issue occurs when the connection is already in an
established state and the attacker uses the existing session to
hammer away, fail2ban becomes ineffective as dovecot appears to
allow the person to attempt authentication ad infinitum.
It would be nice if there was config option that would for example
cause the software to close the connection after X failed
attempts. I use pf as the firewall on FreeBSD.
The secret is the pfctl -k IP command to drop state for the
offending IP. Just add it to your fail2ban action command.
action = /sbin/pfctl {whatever you have now} /sbin/pfctl -k ip
A nice writeup of fail2ban and pf can be found here:
http://www.effu.se/2011/03/Integrating-PF-with-Fail2ban-0.9
-- Noel Jones
Re: [Dovecot] stopping dictionary attacks (pop3)
On 9/4/2013 6:57 PM, ot...@ahhyes.net wrote: I've had to resort to firewalling off the pop3 port to my ISP subnets and any subnets of ISP's I use when I am on the go. This will work for me since it's a personal server with only a few external users. Operators of shared hosting servers certainly wont have that luxury. On my personal sever I use http://www.ipdeny.com/ cidr blocks to only allow the countries where users are expected to be. Obviously not a solution for an ISP... -- Noel Jones
[Dovecot] stopping dictionary attacks (pop3)
Hi Guys, I was really hoping a couple of years later this would be addressed... I'm running Dovecot 2.2.5 on FreeBSD. Is there anyway to limit the number of auth attempts allowed in a single session? The reason for this is because I have fail2ban setup to firewall out any IP addresses that repeatedly auth fails. The issue occurs when the connection is already in an established state and the attacker uses the existing session to hammer away, fail2ban becomes ineffective as dovecot appears to allow the person to attempt authentication ad infinitum. It would be nice if there was config option that would for example cause the software to close the connection after X failed attempts. I use pf as the firewall on FreeBSD. Unless there was some command I could have fail2ban run a command that would destroy any tcp sessions in an established state prior to adding the offending IP to the block list, that would be the only way around the problem. Ideally it would be nice for dovecot have an option to control the number of failed auth attempts. Any suggestions? Cheers, Alex.
Re: [Dovecot] stopping dictionary attacks (pop3)
On 9/2/2013 8:59 PM, ot...@ahhyes.net wrote:
Hi Guys,
I was really hoping a couple of years later this would be
addressed... I'm running Dovecot 2.2.5 on FreeBSD.
Is there anyway to limit the number of auth attempts allowed in a
single session? The reason for this is because I have fail2ban
setup to firewall out any IP addresses that repeatedly auth fails.
The issue occurs when the connection is already in an
established state and the attacker uses the existing session to
hammer away, fail2ban becomes ineffective as dovecot appears to
allow the person to attempt authentication ad infinitum.
It would be nice if there was config option that would for example
cause the software to close the connection after X failed
attempts. I use pf as the firewall on FreeBSD.
The secret is the pfctl -k IP command to drop state for the
offending IP. Just add it to your fail2ban action command.
action = /sbin/pfctl {whatever you have now} /sbin/pfctl -k ip
A nice writeup of fail2ban and pf can be found here:
http://www.effu.se/2011/03/Integrating-PF-with-Fail2ban-0.9
-- Noel Jones
