Re: Log authentication attempts

2017-06-12 Thread Aki Tuomi 
You might be interested on using https://github.com/PowerDNS/weakforced which 
is intended for deterring brute force attacks on clustered setups.

Logging auth attemps with auth policy API requires you run some web service 
that will perform the logging.

Aki

> On June 12, 2017 at 5:58 PM "j.emerlik"  wrote:
> 
> 
> I need to save that to database because I have more then one mail server
> and them must share each other failed login attempts information.
> I'll try check how Dovecot Authentication Policy works.
> 
> --JAcek
> 
> 2017-06-12 16:50 GMT+02:00 Leonardo Rodrigues :
> 
> > Em 12/06/17 09:39, j.emerlik escreveu:
> >
> >> Failed login attempts information may be useful in the
> >> fight with bruteforce attacks.
> >>
> >>
> > fail2ban is your friend, it can analyze the logs, no need for saving
> > that on database.
> >
> >
> > --
> >
> >
> > Atenciosamente / Sincerily,
> > Leonardo Rodrigues
> > Solutti Tecnologia
> > http://www.solutti.com.br
> >
> > Minha armadilha de SPAM, NÃO mandem email
> > gertru...@solutti.com.br
> > My SPAMTRAP, do not email it
> >

Re: Log authentication attempts

2017-06-12 Thread j.emerlik 
I need to save that to database because I have more then one mail server
and them must share each other failed login attempts information.
I'll try check how Dovecot Authentication Policy works.

--JAcek

2017-06-12 16:50 GMT+02:00 Leonardo Rodrigues :

> Em 12/06/17 09:39, j.emerlik escreveu:
>
>> Failed login attempts information may be useful in the
>> fight with bruteforce attacks.
>>
>>
> fail2ban is your friend, it can analyze the logs, no need for saving
> that on database.
>
>
> --
>
>
> Atenciosamente / Sincerily,
> Leonardo Rodrigues
> Solutti Tecnologia
> http://www.solutti.com.br
>
> Minha armadilha de SPAM, NÃO mandem email
> gertru...@solutti.com.br
> My SPAMTRAP, do not email it
>

Re: Log authentication attempts

2017-06-12 Thread Leonardo Rodrigues 

Em 12/06/17 09:39, j.emerlik escreveu:

Failed login attempts information may be useful in the
fight with bruteforce attacks.



fail2ban is your friend, it can analyze the logs, no need for 
saving that on database.



--


Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it

Re: Log authentication attempts

2017-06-12 Thread Gregory Sloop 

>> On June 12, 2017 at 3:39 PM "j.emerlik"  wrote:


>> We alse have same problem, now we are running Dovecot 2.2.30.2 and also use
>> Dovecot SASL for SMTP authentication (postfix 2.11).
>> We need to save all failed login attempts to database as source IP address,
>> username and date and time but post-login script can do this but only after
>> successful login. Failed login attempts information may be useful in the
>> fight with bruteforce attacks.
>> It's possible to execude some script after failed login ("Password
>> mismatch") ?

>> Regards,
>> Jacek

AT> You can try to do this using our auth policy API. See
AT> https://wiki2.dovecot.org/Authentication/Policy


If you do get this working [logging failed auth's] I'd personally be very 
interested in your script so we could reproduce it in our environment too. If 
you'd be willing to share, I'd be grateful. [I'm pretty sure others would be 
too.]

-Greg

Re: Log authentication attempts

2017-06-12 Thread Aki Tuomi 

> On June 12, 2017 at 3:39 PM "j.emerlik"  wrote:
> 
> 
> We alse have same problem, now we are running Dovecot 2.2.30.2 and also use
> Dovecot SASL for SMTP authentication (postfix 2.11).
> We need to save all failed login attempts to database as source IP address,
> username and date and time but post-login script can do this but only after
> successful login. Failed login attempts information may be useful in the
> fight with bruteforce attacks.
> It's possible to execude some script after failed login ("Password
> mismatch") ?
> 
> Regards,
> Jacek

You can try to do this using our auth policy API. See 
https://wiki2.dovecot.org/Authentication/Policy

It will report both successful and unsuccessful authentication with fields you 
specify.

Aki

Re: Log authentication attempts

2017-06-12 Thread j.emerlik 
We alse have same problem, now we are running Dovecot 2.2.30.2 and also use
Dovecot SASL for SMTP authentication (postfix 2.11).
We need to save all failed login attempts to database as source IP address,
username and date and time but post-login script can do this but only after
successful login. Failed login attempts information may be useful in the
fight with bruteforce attacks.
It's possible to execude some script after failed login ("Password
mismatch") ?

Regards,
Jacek

Re: Log authentication attempts

2017-01-24 Thread Aki Tuomi 

> On January 25, 2017 at 12:24 AM Joseph Tam  wrote:
> 
> 
> On 24.01.2017 00:06, rej ex wrote:
> 
> > Because we are building some monitoring application, we will need to
> > record all failed and successful login attempts.  We need to record
> > remote IP, entered password in plain text, and if possible whether auth
> > request is for SMTP or IMAP session.
> 
> SMTP?  Wouldn't that be handled by your MTA, not Dovecot?
> 
> AKi Tuomi wrote:
> 
> > Since 2.2.27 we've had auth policy server support which can do this
> > properly.
> 
> As I read the docs, the auth policy server would only get the hashed 
> password, and
> wouldn't be able to record the plaintext password.
> 
> Maybe use the checkpassword hook?
> 
>   http://wiki.dovecot.org/AuthDatabase/CheckPassword
> 
> Joseph Tam 

So it would seem if you don't read it carefully.

auth_policy_request_attributes: Request attributes specification (see 
attributes section below)
Default: auth_policy_request_attributes = login=%{orig_username} 
pwhash=%{hashed_password} remote=%{real_rip} 

I invite you to consider what would happen if you were to replace 
%{hashed_password} with %{password}?

Aki

Re: Log authentication attempts

2017-01-24 Thread Joseph Tam 

On 24.01.2017 00:06, rej ex wrote:


Because we are building some monitoring application, we will need to
record all failed and successful login attempts.  We need to record
remote IP, entered password in plain text, and if possible whether auth
request is for SMTP or IMAP session.


SMTP?  Wouldn't that be handled by your MTA, not Dovecot?

AKi Tuomi wrote:


Since 2.2.27 we've had auth policy server support which can do this
properly.


As I read the docs, the auth policy server would only get the hashed password, 
and
wouldn't be able to record the plaintext password.

Maybe use the checkpassword hook?

http://wiki.dovecot.org/AuthDatabase/CheckPassword

Joseph Tam

Re: Log authentication attempts

2017-01-23 Thread Aki Tuomi 
Since 2.2.27 we've had auth policy server support which can do this
properly.

Aki


On 24.01.2017 00:06, rej ex wrote:
> Hi everyone,
>
> We are running Dovecot 2.2.9 as a primary IMAP server. Also we use Dovecot 
> SASL for SMTP authentication.
>
> Because we are building some monitoring application, we will need to record 
> all failed and successful login attempts. We need to record remote IP, 
> entered password in plain text, and if possible whether auth request is for 
> SMTP or IMAP session.
>
> I checked http://wiki.dovecot.org/PostLoginScripting and noticed that 
> post-login scripts are executed only after result_success, but not after 
> result_failure (password mismatch).
>
> Also I read http://wiki.dovecot.org/PasswordDatabase where I saw that since 
> version 2.2.10 it is possible to control what happens after passdb check, but 
> allowed result values don't include executing custom script.
>
> Does anyone know a way to call external binary / script, or at least save a 
> record in the database after login attempt without reading the log files?
>
> P.S. there is also a special case. When someone logs in from webmail, remote 
> IP is set to webmail's server. In this case, we will log the attempt from the 
> webmail itself, because it has the correct remote IP.
>
> Robin Wood

Log authentication attempts

2017-01-23 Thread rej ex 
Hi everyone,

We are running Dovecot 2.2.9 as a primary IMAP server. Also we use Dovecot SASL 
for SMTP authentication.

Because we are building some monitoring application, we will need to record all 
failed and successful login attempts. We need to record remote IP, entered 
password in plain text, and if possible whether auth request is for SMTP or 
IMAP session.

I checked http://wiki.dovecot.org/PostLoginScripting and noticed that 
post-login scripts are executed only after result_success, but not after 
result_failure (password mismatch).

Also I read http://wiki.dovecot.org/PasswordDatabase where I saw that since 
version 2.2.10 it is possible to control what happens after passdb check, but 
allowed result values don't include executing custom script.

Does anyone know a way to call external binary / script, or at least save a 
record in the database after login attempt without reading the log files?

P.S. there is also a special case. When someone logs in from webmail, remote IP 
is set to webmail's server. In this case, we will log the attempt from the 
webmail itself, because it has the correct remote IP.

Robin Wood