Re: [Dovecot] Limit login attempts per connection?

[Tony Nelson]

On 10-03-10 07:09:45, Marcus Rueckert wrote:
 On 2010-03-09 21:07:42 -0800, Terry Barnum wrote:
   On Fri, 05.03.2010 at 09:44:35 +, Ed W li...@wildgooses.com
   wrote:
   I would be all in favour of a setting like this because it's
   easier to configure than fail2ban...
  
  There's also denyhosts. http://denyhosts.sourceforge.net/
 
 http://snowman.net/projects/ipt_recent/
 ...
 really nice iptables module

Unlike fail2ban and denyhosts, using the recent module needs dovecot
to close the connection upon authentication failure, as iptables only 
(normally) comes in to play for new connections, so it only really 
works with a patch like mine.

If you are using the recent module, you probably should also get 
Alexander Zangerl's pam_recent pam module, so that successful logins 
aren't counted against the IP.

-- 

TonyN.:'   mailto:tonynel...@georgeanelson.com
  '  http://www.georgeanelson.com/

Re: [Dovecot] Limit login attempts per connection?

[Terry Barnum]

 On Fri, 05.03.2010 at 09:44:35 +, Ed W li...@wildgooses.com wrote:
 I would be all in favour of a setting like this because it's easier
 to configure than fail2ban...

There's also denyhosts. http://denyhosts.sourceforge.net/

-Terry

Re: [Dovecot] Limit login attempts per connection?

[Tony Nelson]

On 10-03-04 23:43:25, Tony Nelson wrote:
 On 10-03-04 20:22:15, Frank Cusack wrote:
  On 3/4/10 6:42 PM -0500 Tony Nelson wrote:
   Looking at the source, I see that there are no options.  It
   tarpits a bit, but currently has no limit on the number of 
   attempts.  I'll see what I can do.
  
  I think it's a brilliant idea.  After one login attempt, all others
  on the same connection should fail.
 
 A fan!  Anyway, there should at least be a choice.  Not that I've
 coded a choice, just a dumb patch -- see attachment.  It's a bit of a
 compromise, with a hard-coded limit of 4 attempts.  Maybe I'll lower
 it to 2.

New patch with conf file setting max_auth_attempts.  The default is 0 
and means no limit; non-zero disconnects after that many login 
failures.  I put it in the main area of the conf file, but IIUC it 
should also work in the pop3 or imap sections and only affect that 
server.  It doesn't affect the tarpitting.

When using it with an IPTables recent module rule, set it to 1.
 
-- 

TonyN.:'   mailto:tonynel...@georgeanelson.com
  '  http://www.georgeanelson.com/

diff -ur dovecot-1.2.10.orig/dovecot-example.conf dovecot-1.2.10/dovecot-example.conf
--- dovecot-1.2.10.orig/dovecot-example.conf	2010-03-07 02:05:08.0 -0500
+++ dovecot-1.2.10/dovecot-example.conf	2010-03-08 00:51:30.0 -0500
@@ -47,6 +47,11 @@
 # connection is considered secure and plaintext authentication is allowed.
 #disable_plaintext_auth = no
 
+# Limit the number of failed authentication attempts per connection.  0
+# means no limit.  Tarpitting by 5 seconds more each failure is not
+# affected.
+#max_auth_attempts = 0
+
 # Should all IMAP and POP3 processes be killed when Dovecot master process
 # shuts down. Setting this to no means that Dovecot can be upgraded without
 # forcing existing client connections to close (although that could also be
diff -ur dovecot-1.2.10.orig/dovecot-example.conf.default-settings dovecot-1.2.10/dovecot-example.conf.default-settings
--- dovecot-1.2.10.orig/dovecot-example.conf.default-settings	2010-03-07 02:05:08.0 -0500
+++ dovecot-1.2.10/dovecot-example.conf.default-settings	2010-03-08 01:03:53.0 -0500
@@ -51,6 +51,11 @@
 # connection is considered secure and plaintext authentication is allowed.
 #disable_plaintext_auth = yes
 
+# Limit the number of failed authentication attempts per connection.  0
+# means no limit.  Tarpitting by 5 seconds more each failure is not
+# affected.
+#max_auth_attempts = 0
+
 # Should all IMAP and POP3 processes be killed when Dovecot master process
 # shuts down. Setting this to no means that Dovecot can be upgraded without
 # forcing existing client connections to close (although that could also be
diff -ur dovecot-1.2.10.orig/src/imap-login/client-authenticate.c dovecot-1.2.10/src/imap-login/client-authenticate.c
--- dovecot-1.2.10.orig/src/imap-login/client-authenticate.c	2010-01-24 18:14:17.0 -0500
+++ dovecot-1.2.10/src/imap-login/client-authenticate.c	2010-03-08 00:41:46.0 -0500
@@ -266,6 +266,7 @@
 	const char *msg;
 	size_t data_len;
 	bool nodelay;
+	extern unsigned int max_auth_attempts;
 
 	i_assert(!client-destroyed ||
 		 reply == SASL_SERVER_REPLY_AUTH_ABORTED ||
@@ -286,8 +287,12 @@
 		if (client-to_auth_waiting != NULL)
 			timeout_remove(client-to_auth_waiting);
 		if (args != NULL) {
-			if (client_handle_args(client, args, FALSE, nodelay))
+			if (client_handle_args(client, args, FALSE, nodelay)) {
+/*GAN 04Mar10  restrict auth attempts */
+if (max_auth_attempts  client-common.auth_attempts = max_auth_attempts)
+	client_destroy(client, Too many auth attempts.);
 break;
+			}
 		}
 
 		if (reply == SASL_SERVER_REPLY_AUTH_ABORTED)
@@ -298,8 +303,12 @@
 			msg = t_strconcat(NO [ALERT] , data, NULL);
 		client_send_tagline(client, msg);
 
-		if (!client-destroyed)
+		if (!client-destroyed) {
+			/*GAN 04Mar10  restrict auth attempts */
+			if (max_auth_attempts  client-common.auth_attempts = max_auth_attempts)
+client_destroy(client, Too many auth attempts.);
 			client_auth_failed(client, nodelay);
+		}
 		break;
 	case SASL_SERVER_REPLY_MASTER_FAILED:
 		if (data == NULL)
diff -ur dovecot-1.2.10.orig/src/login-common/main.c dovecot-1.2.10/src/login-common/main.c
--- dovecot-1.2.10.orig/src/login-common/main.c	2010-01-24 18:14:17.0 -0500
+++ dovecot-1.2.10/src/login-common/main.c	2010-03-08 00:41:46.0 -0500
@@ -29,6 +29,7 @@
 unsigned int login_process_uid;
 struct auth_client *auth_client;
 bool closing_down, capability_string_overridden;
+unsigned int max_auth_attempts;
 
 static const char *process_name;
 static struct ioloop *ioloop;
@@ -360,6 +361,10 @@
 			capability_string_overridden = TRUE;
 	}
 
+	/*GAN 06Mar10  restrict auth attempts */
+	value = getenv(MAX_AUTH_ATTEMPTS);
+	max_auth_attempts = value == NULL ? 0 : strtoul(value, NULL, 

Re: [Dovecot] Limit login attempts per connection?

[Ed W]

On 05/03/2010 04:43, Tony Nelson wrote:

On 10-03-04 20:22:15, Frank Cusack wrote:

On 3/4/10 6:42 PM -0500 Tony Nelson wrote:
 Looking at the source, I see that there are no options.  It tarpits
 a bit, but currently has no limit on the number of attempts.  I'll
 see what I can do.

I think it's a brilliant idea.  After one login attempt, all others
on the same connection should fail.


A fan!  Anyway, there should at least be a choice.  Not that I've coded
a choice, just a dumb patch -- see attachment.  It's a bit of a
compromise, with a hard-coded limit of 4 attempts.  Maybe I'll lower it
to 2.



I would be all in favour of a setting like this because it's easier to 
configure than fail2ban...


...but ...  At least my public facing servers seem to be receiving 
trickle scans where there is definite evidence of a slow distributed 
bruteforcer which uses multiple IPs to try multiple usernames and I 
probably only see each IP a few times a day...  This is quite hard to 
defend against without some kind of distributed system (and I believe 
there are such things?)


Good luck

Ed W

Re: [Dovecot] Limit login attempts per connection?

[Timo Sirainen]

On Thu, 2010-03-04 at 23:43 -0500, Tony Nelson wrote:
  I think it's a brilliant idea.  After one login attempt, all others
  on the same connection should fail.
 
 A fan!  Anyway, there should at least be a choice.  Not that I've coded
 a choice, just a dumb patch -- see attachment.  It's a bit of a
 compromise, with a hard-coded limit of 4 attempts.  Maybe I'll lower it
 to 2.

I think I'll change v2.0 to simply disconnect 3 minutes after the client
connected. With the tarpitting doubling the auth failure delay for up to
15 seconds, that allows maybe max. 15 auth attempts before being
disconnected. I don't really see why that would be too much, there's not
much brute forcing that can be done with 15 attempts..

(And this assumes that something externally blocks that IP by then. If
you disconnect without blocking the IP, they'll just reconnect and
continue so that won't help much. And banning IP for just 2-4 failed
auth attempts seems a bit too early.)



signature.asc
Description: This is a digitally signed message part

Re: [Dovecot] Limit login attempts per connection?

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, Mar 04, 2010 at 06:43:21PM -0500, Tony Nelson wrote:
 On 10-03-04 00:51:40, to...@tuxteam.de wrote:

[...fail2ban...]

 I already have something that works with any program secure enough not 
 to allow unlimited login attempts.  Using fail2ban might work if I 
 configure it enough to sever existing connections.

Understood.

Thanks
- -- tomás
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFLkOfPBcgs9XrR2kYRAuztAJ9LJdWEP7LuUOuB6nDHTjVN1Ov7RACeNawb
hXuUgpi15dUYNgfVDcMzFJc=
=2cDu
-END PGP SIGNATURE-

Re: [Dovecot] Limit login attempts per connection?

[Stan Hoeppner]

Ed W put forth on 3/5/2010 3:44 AM:

 ...but ...  At least my public facing servers seem to be receiving
 trickle scans where there is definite evidence of a slow distributed
 bruteforcer which uses multiple IPs to try multiple usernames and I
 probably only see each IP a few times a day...  This is quite hard to
 defend against without some kind of distributed system (and I believe
 there are such things?)

It's good policy these days to use ipdeny.com cidr tables and ban all
countries from your servers that will never need legitimate access to them.
 If you're in the US, do you need to allow Chinese or Russian IP space to
connect to your IMAP ports?  If not, it's pretty simple to add iptables
rules on all your servers to ban all the countries where a large amount of
unauthorized connection attempts originate.

This usually can't be done with off the shelf firewalls from the likes of
Cisco et al as they don't have enough memory.  For a large server farm, it
would be better to have a Linux or NetBSD box running firewall duty for the
farm so you only have to load these rules once and eat cycles on only one
machine.

Also keep in mind that iptables load time for huge country files can be
pretty substantial.  I experimented with this on an old dual 550 MHz machine
and it took something like 30 seconds to load just the China cidrs into
iptables.  If you plan to load up multiple countries, initial iptables
loading might take a while.

Once you've got it set up and tuned it can work very well.

-- 
Stan

Re: [Dovecot] Limit login attempts per connection?

[Tony Nelson]

On 10-03-03 23:01:58, Stan Hoeppner wrote:
 Tony Nelson put forth on 3/3/2010 2:39 PM:
  Dovecot allows a large number of login attempts per connection.  
  I'd like to reduce that number to, say, 1, and let my firewall keep 
  the ducks at bay, but I can't find anything in /etc/dovecot.conf or 
  by googling.  How do I do it?  Do I need to patch the source?
  
  dovecot-1.1.10-1.x86_64 on CentOS 5.4
 
 Can you tell us more about these unwanted login attempts?  Are you
 merely trying to stop Chinese et al hacker woodpeckering on your 
 IMAP/POP port(s) or something else?

Crackers, yes.  They're just the sort one doesn't want getting in to 
one's system, and the fewer tries they get the better.  But the reason 
is not important.

Looking at the source, I see that there are no options.  It tarpits a 
bit, but currently has no limit on the number of attempts.  I'll see 
what I can do.

-- 

TonyN.:'   mailto:tonynel...@georgeanelson.com
  '  http://www.georgeanelson.com/

Re: [Dovecot] Limit login attempts per connection?

[Tony Nelson]

On 10-03-04 00:51:40, to...@tuxteam.de wrote:
 On Wed, Mar 03, 2010 at 03:39:28PM -0500, Tony Nelson wrote:
  Dovecot allows a large number of login attempts per connection.  
  I'd like to reduce that number to, say, 1, and let my firewall keep 
  the ducks at bay,
 
 If the firewall is the one to do the job, I'd recommend an external
 application like fail2ban. It watches the logs and bans IP addresses
 with too many failures -- the nice thing is that it's able to cover
 all applications listening on external ports. You can define patterns 
 in log files to which it has to react (but it comes with a good set 
 of pre-defined patterns -- at least on popular GNU/Linux distros).

I already have something that works with any program secure enough not 
to allow unlimited login attempts.  Using fail2ban might work if I 
configure it enough to sever existing connections.


but I can't find anything in /etc/dovecot.conf or by
  googling.  How do I do it?  Do I need to patch the source?
 
 I don't know about such a setting (but I don't know everything about
 Dovecot either!). Anyway, then it'd still the Dovecot process dealing
 with the rouge login attempts -- it seems better to keep them at the
 firewall level with the approach above.

Yes, and I'm going to use the firewall -- once I can get Dovecot to 
limit the number of login attempts per connection.

Looking at the source, I see that there are no options.  It tarpits a 
bit, but currently has no limit on the number of attempts.  I'll see 
what I can do.

-- 

TonyN.:'   mailto:tonynel...@georgeanelson.com
  '  http://www.georgeanelson.com/

Re: [Dovecot] Limit login attempts per connection?

[Frank Cusack]

On 3/4/10 6:42 PM -0500 Tony Nelson wrote:

Looking at the source, I see that there are no options.  It tarpits a
bit, but currently has no limit on the number of attempts.  I'll see
what I can do.


I think it's a brilliant idea.  After one login attempt, all others on
the same connection should fail.

-frank

Re: [Dovecot] Limit login attempts per connection?

[Tony Nelson]

On 10-03-04 20:22:15, Frank Cusack wrote:

On 3/4/10 6:42 PM -0500 Tony Nelson wrote:
 Looking at the source, I see that there are no options.  It tarpits
 a bit, but currently has no limit on the number of attempts.  I'll
 see what I can do.

I think it's a brilliant idea.  After one login attempt, all others
on the same connection should fail.


A fan!  Anyway, there should at least be a choice.  Not that I've coded
a choice, just a dumb patch -- see attachment.  It's a bit of a
compromise, with a hard-coded limit of 4 attempts.  Maybe I'll lower it
to 2.

--

TonyN.:'   mailto:tonynel...@georgeanelson.com
  '  http://www.georgeanelson.com/
--- dovecot-1.2.10/src/pop3-login/client-authenticate.c.limitauth	2010-01-24 18:14:17.0 -0500
+++ dovecot-1.2.10/src/pop3-login/client-authenticate.c	2010-03-04 23:08:07.0 -0500
@@ -21,6 +21,7 @@
 
 #define POP3_SERVICE_NAME pop3
 #define AUTH_FAILURE_DELAY_INCREASE_MSECS 5000
+#define AUTH_ATTEMPT_LIMIT 3
 
 const char *capability_string = POP3_CAPABILITY_REPLY;
 
@@ -244,8 +245,12 @@
 	case SASL_SERVER_REPLY_AUTH_FAILED:
 	case SASL_SERVER_REPLY_AUTH_ABORTED:
 		if (args != NULL) {
-			if (client_handle_args(client, args, FALSE, nodelay))
+			if (client_handle_args(client, args, FALSE, nodelay)) {
+/*GAN 04Mar10  restrict auth attempts */
+if (client-common.auth_attempts  AUTH_ATTEMPT_LIMIT)
+client_destroy(client, Too many auth attempts.);
 break;
+}
 		}
 
 		if (reply == SASL_SERVER_REPLY_AUTH_ABORTED)
@@ -256,8 +261,12 @@
 			msg = t_strconcat(-ERR , data, NULL);
 		client_send_line(client, msg);
 
-		if (!client-destroyed)
+		if (!client-destroyed) {
+/*GAN 04Mar10  restrict auth attempts */
+if (client-common.auth_attempts  AUTH_ATTEMPT_LIMIT)
+client_destroy(client, Too many auth attempts.);
 			client_auth_failed(client, nodelay);
+}
 		break;
 	case SASL_SERVER_REPLY_MASTER_FAILED:
 		if (data == NULL)

Re: [Dovecot] Limit login attempts per connection?

[Stan Hoeppner]

Tony Nelson put forth on 3/3/2010 2:39 PM:
 Dovecot allows a large number of login attempts per connection.  I'd 
 like to reduce that number to, say, 1, and let my firewall keep the 
 ducks at bay, but I can't find anything in /etc/dovecot.conf or by 
 googling.  How do I do it?  Do I need to patch the source?
 
 dovecot-1.1.10-1.x86_64 on CentOS 5.4

Can you tell us more about these unwanted login attempts?  Are you merely
trying to stop Chinese et al hacker woodpeckering on your IMAP/POP port(s)
or something else?

-- 
Stan

Re: [Dovecot] Limit login attempts per connection?

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, Mar 03, 2010 at 03:39:28PM -0500, Tony Nelson wrote:
 Dovecot allows a large number of login attempts per connection.  I'd 
 like to reduce that number to, say, 1, and let my firewall keep the 
 ducks at bay,

If the firewall is the one to do the job, I'd recommend an external
application like fail2ban. It watches the logs and bans IP addresses
with too many failures -- the nice thing is that it's able to cover all
applications listening on external ports. You can define patterns in
log files to which it has to react (but it comes with a good set of
pre-defined patterns -- at least on popular GNU/Linux distros).

   but I can't find anything in /etc/dovecot.conf or by 
 googling.  How do I do it?  Do I need to patch the source?

I don't know about such a setting (but I don't know everything about
Dovecot either!). Anyway, then it'd still the Dovecot process dealing
with the rouge login attempts -- it seems better to keep them at the
firewall level with the approach above.

Regards
- -- tomás
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFLj0psBcgs9XrR2kYRAnamAJ91pD60iJp8UDz/mwpoFE9cpHpdswCdGCYu
Mj5he6OOYtP7wWbBWhUmiXQ=
=QCJ2
-END PGP SIGNATURE-