Re: [Dovecot] limiting number of incorrect logins per connection

[Ed W]

Slightly advanced, but note that you CAN block in progress connections
using iptables

What is happening is that the usual top (ish) rule in your iptable
script says something like "continue if connection established", this
can be seen as a performance optimisation to avoid running your full
rulebase after the connection exists, however, it's not a limitation of
iptables.  So you have two main ways to tackle this:

1) Add your blacklist rules *before* the continue rule. One of the
fastest/simplest ways to achieve this is with the new ipset
functionality of recent kernels.  You can then have a single iptables
(block) rule, which references a dynamically updated ipset that contains
all your blacklisted IPs. Curiously ipsets can have a timeout value
which appears to cause entries to fall out after a set time period. 
Requires some changes to the "actions" in fail2ban

2) Alternatively note that you can purge specific connections from
conntrack (subsequent packets will either be treated as "invalid" or
"new" depending on whether you have loose tracking set in /proc/sys/... 
Something like "conntrack -D -n a.b.c.d" should do it?  This still
requires some tweaking to fail2ban, but the iptables rules stay the same

Just saying...

Good luck

Ed W


On 26/08/2011 13:22, Felipe Scarel wrote:
> Yeah, I had read about half of that thread, and after I sent my mail kept
> reading and stumbled upon this: "(...) using the recent module needs
> dovecotto close the connection upon authentication failure, as iptables only
> (normally) comes in to play for new connections (...)".
>
> So, yeah, my suggestion probably won't work.
>
> On Fri, Aug 26, 2011 at 09:15, Felipe Scarel  wrote:
>
>> Alex, I've not personally done it (so just speculating here, bear with me)
>> but you can customize Fail2Ban's actions if needed. So, if you can match the
>> attemps through some regex (and since you're seeing them in the logs, that
>> should be quite possible), then you can edit one of the 'actions' to drop
>> the connection for .

Re: [Dovecot] limiting number of incorrect logins per connection

[a...@ahhyes.net]

Thanks for that. I will change it and recompile. Sorry for the grumpyness 
yesterday in my posts. Was having a bad day. Is there any chance of there being 
an option on future versions that allow a number of failed auth attempts to be 
specified before dropping the connection? The other thread you mentioned, I see 
someone devised a small patch in c to add this functionality. It didnt look 
like a lot of code to do it. What are your thoughts?

- Reply message -
From: "Timo Sirainen" 
Date: Sat, Aug 27, 2011 02:30
Subject: [Dovecot] limiting number of incorrect logins per connection
To: "Alex" 
Cc: 


login-common/client-common.h :

#define CLIENT_LOGIN_TIMEOUT_MSECS (MASTER_LOGIN_TIMEOUT_SECS*1000)

So set it to (45*60*1000)

But I don't think there's much of a practical difference between these.

On 26.8.2011, at 12.07, Alex wrote:

> 3 minutes! I think that's too long, how can I drop that down to about 45 
> seconds?
> 
> 
> On Fri, 26 Aug 2011 11:44:45 +0300, Timo Sirainen wrote:
>> On 26.8.2011, at 10.25, Alex wrote:
>> 
>>> Running Dovecot 2 on my server. It is regularly getting dictionary auth 
>>> attacked. What I have noticed is that once connected to a pop3/imap login 
>>> session, you can send endless incorrect usernames+passwords attempts. This 
>>> is a problem for me... I use fail2ban to try and stop these script kiddies. 
>>> The problem is that fail2ban detects the bad auths, firewalls the IP, 
>>> however, since it's an "established" session, the attacker can keep authing 
>>> away... It's only on a subsequent (new) connection that the firewalling 
>>> will take effect.
>> 
>> Umm. If client hasn't managed to log in in 3 minutes, it's
>> disconnected (no matter what it does with the connection).
> 

Re: [Dovecot] limiting number of incorrect logins per connection

[Timo Sirainen]

login-common/client-common.h :

#define CLIENT_LOGIN_TIMEOUT_MSECS (MASTER_LOGIN_TIMEOUT_SECS*1000)

So set it to (45*60*1000)

But I don't think there's much of a practical difference between these.

On 26.8.2011, at 12.07, Alex wrote:

> 3 minutes! I think that's too long, how can I drop that down to about 45 
> seconds?
> 
> 
> On Fri, 26 Aug 2011 11:44:45 +0300, Timo Sirainen wrote:
>> On 26.8.2011, at 10.25, Alex wrote:
>> 
>>> Running Dovecot 2 on my server. It is regularly getting dictionary auth 
>>> attacked. What I have noticed is that once connected to a pop3/imap login 
>>> session, you can send endless incorrect usernames+passwords attempts. This 
>>> is a problem for me... I use fail2ban to try and stop these script kiddies. 
>>> The problem is that fail2ban detects the bad auths, firewalls the IP, 
>>> however, since it's an "established" session, the attacker can keep authing 
>>> away... It's only on a subsequent (new) connection that the firewalling 
>>> will take effect.
>> 
>> Umm. If client hasn't managed to log in in 3 minutes, it's
>> disconnected (no matter what it does with the connection).
> 

Re: [Dovecot] limiting number of incorrect logins per connection

[Timo Sirainen]

On 26.8.2011, at 18.27, Allan Cassaro wrote:

> If you substitute (create a wrap to) the "imap-login" binary with an script?
> The script can create a "fail attempt/ip" file into home dir and return ok
> or not to dovecot main process based on this information.

imap-login is typically chrooted and running with nonprivileged account that 
can't access user's home dir. I guess you could change those, but wrapping 
imap-login won't help because you don't know the username at that point..

Either auth or anvil process could do something like this.

Re: [Dovecot] limiting number of incorrect logins per connection

[Allan Cassaro]

On Fri, Aug 26, 2011 at 10:14 AM, Alexandre Chapellon  wrote:

> fail2ban will work as soon as dovecot have closed a none-authenticated
> connection: 3mins->180sec
> If tarpit delay for auth failures in a connection is set to 15s (which
> seems to be the default unless i missunderstood) this let an attackers
> only 12 tries (at most) before IP gets blacklisted by fail2ban... Far enough
> to circumvent bruteforce and even dictionnary based attacks... unless the
> attacker has a botnet and uses non agressives retry policy. But in the last
> case, even if you blacklist IP at first failed  tried, you're still vuln to
> such attacks.
>
> regards.
>
> Le 26/08/2011 14:22, Felipe Scarel a écrit :
>
>  Yeah, I had read about half of that thread, and after I sent my mail kept
>> reading and stumbled upon this: "(...) using the recent module needs
>> dovecotto close the connection upon authentication failure, as iptables
>> only
>> (normally) comes in to play for new connections (...)".
>>
>> So, yeah, my suggestion probably won't work.
>>
>> On Fri, Aug 26, 2011 at 09:15, Felipe Scarel  wrote:
>>
>>  Alex, I've not personally done it (so just speculating here, bear with
>>> me)
>>> but you can customize Fail2Ban's actions if needed. So, if you can match
>>> the
>>> attemps through some regex (and since you're seeing them in the logs,
>>> that
>>> should be quite possible), then you can edit one of the 'actions' to drop
>>> the connection for.
>>>
>>> I'm just not entirely sure that iptables (or pf, or whatever firewall
>>> you've got) can do it to active connections, 'cause that problem hasn't
>>> arised for me so far.
>>>
>>>
>>> On Fri, Aug 26, 2011 at 06:14, Alex  wrote:
>>>
>>>  I am happy to recompile if there is no config option. I gather it's in
 the
 src/auth dir somewhere in one of the C source files. Just need to be
 pointed
 in the right dir.


 On Fri, 26 Aug 2011 19:07:08 +1000, Alex wrote:

  3 minutes! I think that's too long, how can I drop that down to about
> 45 seconds?
>
>
> On Fri, 26 Aug 2011 11:44:45 +0300, Timo Sirainen wrote:
>
>  On 26.8.2011, at 10.25, Alex wrote:
>>
>>  Running Dovecot 2 on my server. It is regularly getting dictionary
>> auth
>>
>>> attacked. What I have noticed is that once connected to a pop3/imap
>>> login
>>> session, you can send endless incorrect usernames+passwords attempts.
>>> This
>>> is a problem for me... I use fail2ban to try and stop these script
>>> kiddies.
>>> The problem is that fail2ban detects the bad auths, firewalls the IP,
>>> however, since it's an "established" session, the attacker can keep
>>> authing
>>> away... It's only on a subsequent (new) connection that the
>>> firewalling will
>>> take effect.
>>>
>>>  Umm. If client hasn't managed to log in in 3 minutes, it's
>> disconnected (no matter what it does with the connection).
>>
>

If you substitute (create a wrap to) the "imap-login" binary with an script?
The script can create a "fail attempt/ip" file into home dir and return ok
or not to dovecot main process based on this information.
This will solve you problem with established connections and will ban the
"badguy" in realtime.

I know this is possible in 1.x version.
Timo, this is possible on 2.x version?

Regards.

-- 
Use cópia oculta (BCC ou CCO) e apague dados pessoais no campo da mensagem
ao encaminhar qualquer e-mail.

http://allan.cassaro.googlepages.com

Re: [Dovecot] limiting number of incorrect logins per connection

[Alexandre Chapellon]

fail2ban will work as soon as dovecot have closed a none-authenticated 
connection: 3mins->180sec
If tarpit delay for auth failures in a connection is set to 15s (which 
seems to be the default unless i missunderstood) this let an 
attackers only 12 tries (at most) before IP gets blacklisted by 
fail2ban... Far enough to circumvent bruteforce and even dictionnary 
based attacks... unless the attacker has a botnet and uses non 
agressives retry policy. But in the last case, even if you blacklist IP 
at first failed  tried, you're still vuln to such attacks.


regards.

Le 26/08/2011 14:22, Felipe Scarel a écrit :

Yeah, I had read about half of that thread, and after I sent my mail kept
reading and stumbled upon this: "(...) using the recent module needs
dovecotto close the connection upon authentication failure, as iptables only
(normally) comes in to play for new connections (...)".

So, yeah, my suggestion probably won't work.

On Fri, Aug 26, 2011 at 09:15, Felipe Scarel  wrote:


Alex, I've not personally done it (so just speculating here, bear with me)
but you can customize Fail2Ban's actions if needed. So, if you can match the
attemps through some regex (and since you're seeing them in the logs, that
should be quite possible), then you can edit one of the 'actions' to drop
the connection for.

I'm just not entirely sure that iptables (or pf, or whatever firewall
you've got) can do it to active connections, 'cause that problem hasn't
arised for me so far.


On Fri, Aug 26, 2011 at 06:14, Alex  wrote:


I am happy to recompile if there is no config option. I gather it's in the
src/auth dir somewhere in one of the C source files. Just need to be pointed
in the right dir.


On Fri, 26 Aug 2011 19:07:08 +1000, Alex wrote:


3 minutes! I think that's too long, how can I drop that down to about
45 seconds?


On Fri, 26 Aug 2011 11:44:45 +0300, Timo Sirainen wrote:


On 26.8.2011, at 10.25, Alex wrote:

  Running Dovecot 2 on my server. It is regularly getting dictionary auth

attacked. What I have noticed is that once connected to a pop3/imap login
session, you can send endless incorrect usernames+passwords attempts. This
is a problem for me... I use fail2ban to try and stop these script kiddies.
The problem is that fail2ban detects the bad auths, firewalls the IP,
however, since it's an "established" session, the attacker can keep authing
away... It's only on a subsequent (new) connection that the firewalling will
take effect.


Umm. If client hasn't managed to log in in 3 minutes, it's
disconnected (no matter what it does with the connection).



--

<>

Re: [Dovecot] limiting number of incorrect logins per connection

[Felipe Scarel]

Yeah, I had read about half of that thread, and after I sent my mail kept
reading and stumbled upon this: "(...) using the recent module needs
dovecotto close the connection upon authentication failure, as iptables only
(normally) comes in to play for new connections (...)".

So, yeah, my suggestion probably won't work.

On Fri, Aug 26, 2011 at 09:15, Felipe Scarel  wrote:

> Alex, I've not personally done it (so just speculating here, bear with me)
> but you can customize Fail2Ban's actions if needed. So, if you can match the
> attemps through some regex (and since you're seeing them in the logs, that
> should be quite possible), then you can edit one of the 'actions' to drop
> the connection for .
>
> I'm just not entirely sure that iptables (or pf, or whatever firewall
> you've got) can do it to active connections, 'cause that problem hasn't
> arised for me so far.
>
>
> On Fri, Aug 26, 2011 at 06:14, Alex  wrote:
>
>> I am happy to recompile if there is no config option. I gather it's in the
>> src/auth dir somewhere in one of the C source files. Just need to be pointed
>> in the right dir.
>>
>>
>> On Fri, 26 Aug 2011 19:07:08 +1000, Alex wrote:
>>
>>> 3 minutes! I think that's too long, how can I drop that down to about
>>> 45 seconds?
>>>
>>>
>>> On Fri, 26 Aug 2011 11:44:45 +0300, Timo Sirainen wrote:
>>>
 On 26.8.2011, at 10.25, Alex wrote:

  Running Dovecot 2 on my server. It is regularly getting dictionary auth
> attacked. What I have noticed is that once connected to a pop3/imap login
> session, you can send endless incorrect usernames+passwords attempts. This
> is a problem for me... I use fail2ban to try and stop these script 
> kiddies.
> The problem is that fail2ban detects the bad auths, firewalls the IP,
> however, since it's an "established" session, the attacker can keep 
> authing
> away... It's only on a subsequent (new) connection that the firewalling 
> will
> take effect.
>

 Umm. If client hasn't managed to log in in 3 minutes, it's
 disconnected (no matter what it does with the connection).

>>>
>>
>

Re: [Dovecot] limiting number of incorrect logins per connection

[Felipe Scarel]

Alex, I've not personally done it (so just speculating here, bear with me)
but you can customize Fail2Ban's actions if needed. So, if you can match the
attemps through some regex (and since you're seeing them in the logs, that
should be quite possible), then you can edit one of the 'actions' to drop
the connection for .

I'm just not entirely sure that iptables (or pf, or whatever firewall you've
got) can do it to active connections, 'cause that problem hasn't arised for
me so far.

On Fri, Aug 26, 2011 at 06:14, Alex  wrote:

> I am happy to recompile if there is no config option. I gather it's in the
> src/auth dir somewhere in one of the C source files. Just need to be pointed
> in the right dir.
>
>
> On Fri, 26 Aug 2011 19:07:08 +1000, Alex wrote:
>
>> 3 minutes! I think that's too long, how can I drop that down to about
>> 45 seconds?
>>
>>
>> On Fri, 26 Aug 2011 11:44:45 +0300, Timo Sirainen wrote:
>>
>>> On 26.8.2011, at 10.25, Alex wrote:
>>>
>>>  Running Dovecot 2 on my server. It is regularly getting dictionary auth
 attacked. What I have noticed is that once connected to a pop3/imap login
 session, you can send endless incorrect usernames+passwords attempts. This
 is a problem for me... I use fail2ban to try and stop these script kiddies.
 The problem is that fail2ban detects the bad auths, firewalls the IP,
 however, since it's an "established" session, the attacker can keep authing
 away... It's only on a subsequent (new) connection that the firewalling 
 will
 take effect.

>>>
>>> Umm. If client hasn't managed to log in in 3 minutes, it's
>>> disconnected (no matter what it does with the connection).
>>>
>>
>

Re: [Dovecot] limiting number of incorrect logins per connection

[Alex]

I am happy to recompile if there is no config option. I gather it's in 
the src/auth dir somewhere in one of the C source files. Just need to be 
pointed in the right dir.


On Fri, 26 Aug 2011 19:07:08 +1000, Alex wrote:

3 minutes! I think that's too long, how can I drop that down to about
45 seconds?


On Fri, 26 Aug 2011 11:44:45 +0300, Timo Sirainen wrote:

On 26.8.2011, at 10.25, Alex wrote:

Running Dovecot 2 on my server. It is regularly getting dictionary 
auth attacked. What I have noticed is that once connected to a 
pop3/imap login session, you can send endless incorrect 
usernames+passwords attempts. This is a problem for me... I use 
fail2ban to try and stop these script kiddies. The problem is that 
fail2ban detects the bad auths, firewalls the IP, however, since it's 
an "established" session, the attacker can keep authing away... It's 
only on a subsequent (new) connection that the firewalling will take 
effect.


Umm. If client hasn't managed to log in in 3 minutes, it's
disconnected (no matter what it does with the connection).

Re: [Dovecot] limiting number of incorrect logins per connection

[Alex]

3 minutes! I think that's too long, how can I drop that down to about 
45 seconds?



On Fri, 26 Aug 2011 11:44:45 +0300, Timo Sirainen wrote:

On 26.8.2011, at 10.25, Alex wrote:

Running Dovecot 2 on my server. It is regularly getting dictionary 
auth attacked. What I have noticed is that once connected to a 
pop3/imap login session, you can send endless incorrect 
usernames+passwords attempts. This is a problem for me... I use 
fail2ban to try and stop these script kiddies. The problem is that 
fail2ban detects the bad auths, firewalls the IP, however, since it's 
an "established" session, the attacker can keep authing away... It's 
only on a subsequent (new) connection that the firewalling will take 
effect.


Umm. If client hasn't managed to log in in 3 minutes, it's
disconnected (no matter what it does with the connection).

Re: [Dovecot] limiting number of incorrect logins per connection

[Timo Sirainen]

On 26.8.2011, at 10.25, Alex wrote:

> Running Dovecot 2 on my server. It is regularly getting dictionary auth 
> attacked. What I have noticed is that once connected to a pop3/imap login 
> session, you can send endless incorrect usernames+passwords attempts. This is 
> a problem for me... I use fail2ban to try and stop these script kiddies. The 
> problem is that fail2ban detects the bad auths, firewalls the IP, however, 
> since it's an "established" session, the attacker can keep authing away... 
> It's only on a subsequent (new) connection that the firewalling will take 
> effect.

Umm. If client hasn't managed to log in in 3 minutes, it's disconnected (no 
matter what it does with the connection).

Re: [Dovecot] limiting number of incorrect logins per connection

[a...@ahhyes.net]

Hi,

I saw that thread already, however it does not offer any solution that can be 
applied to dovecot directly. That thread has also been asleep for well over a 
year. It couldnt be that hard for the author to implement this function. It 
would only require a few lines of code.


- Reply message -
From: "Robert Schetterer" 
Date: Fri, Aug 26, 2011 17:59
Subject: [Dovecot] limiting number of incorrect logins per connection
To: 

Am 26.08.2011 09:25, schrieb Alex:
> Hi Guys,
> 
> Running Dovecot 2 on my server. It is regularly getting dictionary auth
> attacked. What I have noticed is that once connected to a pop3/imap
> login session, you can send endless incorrect usernames+passwords
> attempts. This is a problem for me... I use fail2ban to try and stop
> these script kiddies. The problem is that fail2ban detects the bad
> auths, firewalls the IP, however, since it's an "established" session,
> the attacker can keep authing away... It's only on a subsequent (new)
> connection that the firewalling will take effect.
> 
> Why is there no configuration option such as "max auth attempts per
> connection"? This would be useful, so once the limit is reached, the
> connection is dropped.
> 
> is there a patch/workaround?
> 

there where equal questions in the past
i.e read
http://comments.gmane.org/gmane.mail.imap.dovecot/46204

-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Re: [Dovecot] limiting number of incorrect logins per connection

[Robert Schetterer]

Am 26.08.2011 09:25, schrieb Alex:
> Hi Guys,
> 
> Running Dovecot 2 on my server. It is regularly getting dictionary auth
> attacked. What I have noticed is that once connected to a pop3/imap
> login session, you can send endless incorrect usernames+passwords
> attempts. This is a problem for me... I use fail2ban to try and stop
> these script kiddies. The problem is that fail2ban detects the bad
> auths, firewalls the IP, however, since it's an "established" session,
> the attacker can keep authing away... It's only on a subsequent (new)
> connection that the firewalling will take effect.
> 
> Why is there no configuration option such as "max auth attempts per
> connection"? This would be useful, so once the limit is reached, the
> connection is dropped.
> 
> is there a patch/workaround?
> 

there where equal questions in the past
i.e read
http://comments.gmane.org/gmane.mail.imap.dovecot/46204

-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria