Re: [Dovecot] Limit login attempts per connection?
On 10-03-10 07:09:45, Marcus Rueckert wrote: On 2010-03-09 21:07:42 -0800, Terry Barnum wrote: On Fri, 05.03.2010 at 09:44:35 +, Ed W li...@wildgooses.com wrote: I would be all in favour of a setting like this because it's easier to configure than fail2ban... There's also denyhosts. http://denyhosts.sourceforge.net/ http://snowman.net/projects/ipt_recent/ ... really nice iptables module Unlike fail2ban and denyhosts, using the recent module needs dovecot to close the connection upon authentication failure, as iptables only (normally) comes in to play for new connections, so it only really works with a patch like mine. If you are using the recent module, you probably should also get Alexander Zangerl's pam_recent pam module, so that successful logins aren't counted against the IP. -- TonyN.:' mailto:tonynel...@georgeanelson.com ' http://www.georgeanelson.com/
Re: [Dovecot] Limit login attempts per connection?
On Fri, 05.03.2010 at 09:44:35 +, Ed W li...@wildgooses.com wrote: I would be all in favour of a setting like this because it's easier to configure than fail2ban... There's also denyhosts. http://denyhosts.sourceforge.net/ -Terry
Re: [Dovecot] Limit login attempts per connection?
On 10-03-04 23:43:25, Tony Nelson wrote: On 10-03-04 20:22:15, Frank Cusack wrote: On 3/4/10 6:42 PM -0500 Tony Nelson wrote: Looking at the source, I see that there are no options. It tarpits a bit, but currently has no limit on the number of attempts. I'll see what I can do. I think it's a brilliant idea. After one login attempt, all others on the same connection should fail. A fan! Anyway, there should at least be a choice. Not that I've coded a choice, just a dumb patch -- see attachment. It's a bit of a compromise, with a hard-coded limit of 4 attempts. Maybe I'll lower it to 2. New patch with conf file setting max_auth_attempts. The default is 0 and means no limit; non-zero disconnects after that many login failures. I put it in the main area of the conf file, but IIUC it should also work in the pop3 or imap sections and only affect that server. It doesn't affect the tarpitting. When using it with an IPTables recent module rule, set it to 1. -- TonyN.:' mailto:tonynel...@georgeanelson.com ' http://www.georgeanelson.com/ diff -ur dovecot-1.2.10.orig/dovecot-example.conf dovecot-1.2.10/dovecot-example.conf --- dovecot-1.2.10.orig/dovecot-example.conf 2010-03-07 02:05:08.0 -0500 +++ dovecot-1.2.10/dovecot-example.conf 2010-03-08 00:51:30.0 -0500 @@ -47,6 +47,11 @@ # connection is considered secure and plaintext authentication is allowed. #disable_plaintext_auth = no +# Limit the number of failed authentication attempts per connection. 0 +# means no limit. Tarpitting by 5 seconds more each failure is not +# affected. +#max_auth_attempts = 0 + # Should all IMAP and POP3 processes be killed when Dovecot master process # shuts down. Setting this to no means that Dovecot can be upgraded without # forcing existing client connections to close (although that could also be diff -ur dovecot-1.2.10.orig/dovecot-example.conf.default-settings dovecot-1.2.10/dovecot-example.conf.default-settings --- dovecot-1.2.10.orig/dovecot-example.conf.default-settings 2010-03-07 02:05:08.0 -0500 +++ dovecot-1.2.10/dovecot-example.conf.default-settings 2010-03-08 01:03:53.0 -0500 @@ -51,6 +51,11 @@ # connection is considered secure and plaintext authentication is allowed. #disable_plaintext_auth = yes +# Limit the number of failed authentication attempts per connection. 0 +# means no limit. Tarpitting by 5 seconds more each failure is not +# affected. +#max_auth_attempts = 0 + # Should all IMAP and POP3 processes be killed when Dovecot master process # shuts down. Setting this to no means that Dovecot can be upgraded without # forcing existing client connections to close (although that could also be diff -ur dovecot-1.2.10.orig/src/imap-login/client-authenticate.c dovecot-1.2.10/src/imap-login/client-authenticate.c --- dovecot-1.2.10.orig/src/imap-login/client-authenticate.c 2010-01-24 18:14:17.0 -0500 +++ dovecot-1.2.10/src/imap-login/client-authenticate.c 2010-03-08 00:41:46.0 -0500 @@ -266,6 +266,7 @@ const char *msg; size_t data_len; bool nodelay; + extern unsigned int max_auth_attempts; i_assert(!client-destroyed || reply == SASL_SERVER_REPLY_AUTH_ABORTED || @@ -286,8 +287,12 @@ if (client-to_auth_waiting != NULL) timeout_remove(client-to_auth_waiting); if (args != NULL) { - if (client_handle_args(client, args, FALSE, nodelay)) + if (client_handle_args(client, args, FALSE, nodelay)) { +/*GAN 04Mar10 restrict auth attempts */ +if (max_auth_attempts client-common.auth_attempts = max_auth_attempts) + client_destroy(client, Too many auth attempts.); break; + } } if (reply == SASL_SERVER_REPLY_AUTH_ABORTED) @@ -298,8 +303,12 @@ msg = t_strconcat(NO [ALERT] , data, NULL); client_send_tagline(client, msg); - if (!client-destroyed) + if (!client-destroyed) { + /*GAN 04Mar10 restrict auth attempts */ + if (max_auth_attempts client-common.auth_attempts = max_auth_attempts) +client_destroy(client, Too many auth attempts.); client_auth_failed(client, nodelay); + } break; case SASL_SERVER_REPLY_MASTER_FAILED: if (data == NULL) diff -ur dovecot-1.2.10.orig/src/login-common/main.c dovecot-1.2.10/src/login-common/main.c --- dovecot-1.2.10.orig/src/login-common/main.c 2010-01-24 18:14:17.0 -0500 +++ dovecot-1.2.10/src/login-common/main.c 2010-03-08 00:41:46.0 -0500 @@ -29,6 +29,7 @@ unsigned int login_process_uid; struct auth_client *auth_client; bool closing_down, capability_string_overridden; +unsigned int max_auth_attempts; static const char *process_name; static struct ioloop *ioloop; @@ -360,6 +361,10 @@ capability_string_overridden = TRUE; } + /*GAN 06Mar10 restrict auth attempts */ + value = getenv(MAX_AUTH_ATTEMPTS); + max_auth_attempts = value == NULL ? 0 : strtoul(value, NULL,
Re: [Dovecot] Limit login attempts per connection?
On 05/03/2010 04:43, Tony Nelson wrote: On 10-03-04 20:22:15, Frank Cusack wrote: On 3/4/10 6:42 PM -0500 Tony Nelson wrote: Looking at the source, I see that there are no options. It tarpits a bit, but currently has no limit on the number of attempts. I'll see what I can do. I think it's a brilliant idea. After one login attempt, all others on the same connection should fail. A fan! Anyway, there should at least be a choice. Not that I've coded a choice, just a dumb patch -- see attachment. It's a bit of a compromise, with a hard-coded limit of 4 attempts. Maybe I'll lower it to 2. I would be all in favour of a setting like this because it's easier to configure than fail2ban... ...but ... At least my public facing servers seem to be receiving trickle scans where there is definite evidence of a slow distributed bruteforcer which uses multiple IPs to try multiple usernames and I probably only see each IP a few times a day... This is quite hard to defend against without some kind of distributed system (and I believe there are such things?) Good luck Ed W
Re: [Dovecot] Limit login attempts per connection?
On Thu, 2010-03-04 at 23:43 -0500, Tony Nelson wrote: I think it's a brilliant idea. After one login attempt, all others on the same connection should fail. A fan! Anyway, there should at least be a choice. Not that I've coded a choice, just a dumb patch -- see attachment. It's a bit of a compromise, with a hard-coded limit of 4 attempts. Maybe I'll lower it to 2. I think I'll change v2.0 to simply disconnect 3 minutes after the client connected. With the tarpitting doubling the auth failure delay for up to 15 seconds, that allows maybe max. 15 auth attempts before being disconnected. I don't really see why that would be too much, there's not much brute forcing that can be done with 15 attempts.. (And this assumes that something externally blocks that IP by then. If you disconnect without blocking the IP, they'll just reconnect and continue so that won't help much. And banning IP for just 2-4 failed auth attempts seems a bit too early.) signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Limit login attempts per connection?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, Mar 04, 2010 at 06:43:21PM -0500, Tony Nelson wrote: On 10-03-04 00:51:40, to...@tuxteam.de wrote: [...fail2ban...] I already have something that works with any program secure enough not to allow unlimited login attempts. Using fail2ban might work if I configure it enough to sever existing connections. Understood. Thanks - -- tomás -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFLkOfPBcgs9XrR2kYRAuztAJ9LJdWEP7LuUOuB6nDHTjVN1Ov7RACeNawb hXuUgpi15dUYNgfVDcMzFJc= =2cDu -END PGP SIGNATURE-
Re: [Dovecot] Limit login attempts per connection?
Ed W put forth on 3/5/2010 3:44 AM: ...but ... At least my public facing servers seem to be receiving trickle scans where there is definite evidence of a slow distributed bruteforcer which uses multiple IPs to try multiple usernames and I probably only see each IP a few times a day... This is quite hard to defend against without some kind of distributed system (and I believe there are such things?) It's good policy these days to use ipdeny.com cidr tables and ban all countries from your servers that will never need legitimate access to them. If you're in the US, do you need to allow Chinese or Russian IP space to connect to your IMAP ports? If not, it's pretty simple to add iptables rules on all your servers to ban all the countries where a large amount of unauthorized connection attempts originate. This usually can't be done with off the shelf firewalls from the likes of Cisco et al as they don't have enough memory. For a large server farm, it would be better to have a Linux or NetBSD box running firewall duty for the farm so you only have to load these rules once and eat cycles on only one machine. Also keep in mind that iptables load time for huge country files can be pretty substantial. I experimented with this on an old dual 550 MHz machine and it took something like 30 seconds to load just the China cidrs into iptables. If you plan to load up multiple countries, initial iptables loading might take a while. Once you've got it set up and tuned it can work very well. -- Stan
Re: [Dovecot] Limit login attempts per connection?
On 10-03-03 23:01:58, Stan Hoeppner wrote: Tony Nelson put forth on 3/3/2010 2:39 PM: Dovecot allows a large number of login attempts per connection. I'd like to reduce that number to, say, 1, and let my firewall keep the ducks at bay, but I can't find anything in /etc/dovecot.conf or by googling. How do I do it? Do I need to patch the source? dovecot-1.1.10-1.x86_64 on CentOS 5.4 Can you tell us more about these unwanted login attempts? Are you merely trying to stop Chinese et al hacker woodpeckering on your IMAP/POP port(s) or something else? Crackers, yes. They're just the sort one doesn't want getting in to one's system, and the fewer tries they get the better. But the reason is not important. Looking at the source, I see that there are no options. It tarpits a bit, but currently has no limit on the number of attempts. I'll see what I can do. -- TonyN.:' mailto:tonynel...@georgeanelson.com ' http://www.georgeanelson.com/
Re: [Dovecot] Limit login attempts per connection?
On 10-03-04 00:51:40, to...@tuxteam.de wrote: On Wed, Mar 03, 2010 at 03:39:28PM -0500, Tony Nelson wrote: Dovecot allows a large number of login attempts per connection. I'd like to reduce that number to, say, 1, and let my firewall keep the ducks at bay, If the firewall is the one to do the job, I'd recommend an external application like fail2ban. It watches the logs and bans IP addresses with too many failures -- the nice thing is that it's able to cover all applications listening on external ports. You can define patterns in log files to which it has to react (but it comes with a good set of pre-defined patterns -- at least on popular GNU/Linux distros). I already have something that works with any program secure enough not to allow unlimited login attempts. Using fail2ban might work if I configure it enough to sever existing connections. but I can't find anything in /etc/dovecot.conf or by googling. How do I do it? Do I need to patch the source? I don't know about such a setting (but I don't know everything about Dovecot either!). Anyway, then it'd still the Dovecot process dealing with the rouge login attempts -- it seems better to keep them at the firewall level with the approach above. Yes, and I'm going to use the firewall -- once I can get Dovecot to limit the number of login attempts per connection. Looking at the source, I see that there are no options. It tarpits a bit, but currently has no limit on the number of attempts. I'll see what I can do. -- TonyN.:' mailto:tonynel...@georgeanelson.com ' http://www.georgeanelson.com/
Re: [Dovecot] Limit login attempts per connection?
On 3/4/10 6:42 PM -0500 Tony Nelson wrote: Looking at the source, I see that there are no options. It tarpits a bit, but currently has no limit on the number of attempts. I'll see what I can do. I think it's a brilliant idea. After one login attempt, all others on the same connection should fail. -frank
Re: [Dovecot] Limit login attempts per connection?
On 10-03-04 20:22:15, Frank Cusack wrote: On 3/4/10 6:42 PM -0500 Tony Nelson wrote: Looking at the source, I see that there are no options. It tarpits a bit, but currently has no limit on the number of attempts. I'll see what I can do. I think it's a brilliant idea. After one login attempt, all others on the same connection should fail. A fan! Anyway, there should at least be a choice. Not that I've coded a choice, just a dumb patch -- see attachment. It's a bit of a compromise, with a hard-coded limit of 4 attempts. Maybe I'll lower it to 2. -- TonyN.:' mailto:tonynel...@georgeanelson.com ' http://www.georgeanelson.com/ --- dovecot-1.2.10/src/pop3-login/client-authenticate.c.limitauth 2010-01-24 18:14:17.0 -0500 +++ dovecot-1.2.10/src/pop3-login/client-authenticate.c 2010-03-04 23:08:07.0 -0500 @@ -21,6 +21,7 @@ #define POP3_SERVICE_NAME pop3 #define AUTH_FAILURE_DELAY_INCREASE_MSECS 5000 +#define AUTH_ATTEMPT_LIMIT 3 const char *capability_string = POP3_CAPABILITY_REPLY; @@ -244,8 +245,12 @@ case SASL_SERVER_REPLY_AUTH_FAILED: case SASL_SERVER_REPLY_AUTH_ABORTED: if (args != NULL) { - if (client_handle_args(client, args, FALSE, nodelay)) + if (client_handle_args(client, args, FALSE, nodelay)) { +/*GAN 04Mar10 restrict auth attempts */ +if (client-common.auth_attempts AUTH_ATTEMPT_LIMIT) +client_destroy(client, Too many auth attempts.); break; +} } if (reply == SASL_SERVER_REPLY_AUTH_ABORTED) @@ -256,8 +261,12 @@ msg = t_strconcat(-ERR , data, NULL); client_send_line(client, msg); - if (!client-destroyed) + if (!client-destroyed) { +/*GAN 04Mar10 restrict auth attempts */ +if (client-common.auth_attempts AUTH_ATTEMPT_LIMIT) +client_destroy(client, Too many auth attempts.); client_auth_failed(client, nodelay); +} break; case SASL_SERVER_REPLY_MASTER_FAILED: if (data == NULL)
Re: [Dovecot] Limit login attempts per connection?
Tony Nelson put forth on 3/3/2010 2:39 PM: Dovecot allows a large number of login attempts per connection. I'd like to reduce that number to, say, 1, and let my firewall keep the ducks at bay, but I can't find anything in /etc/dovecot.conf or by googling. How do I do it? Do I need to patch the source? dovecot-1.1.10-1.x86_64 on CentOS 5.4 Can you tell us more about these unwanted login attempts? Are you merely trying to stop Chinese et al hacker woodpeckering on your IMAP/POP port(s) or something else? -- Stan
Re: [Dovecot] Limit login attempts per connection?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Mar 03, 2010 at 03:39:28PM -0500, Tony Nelson wrote: Dovecot allows a large number of login attempts per connection. I'd like to reduce that number to, say, 1, and let my firewall keep the ducks at bay, If the firewall is the one to do the job, I'd recommend an external application like fail2ban. It watches the logs and bans IP addresses with too many failures -- the nice thing is that it's able to cover all applications listening on external ports. You can define patterns in log files to which it has to react (but it comes with a good set of pre-defined patterns -- at least on popular GNU/Linux distros). but I can't find anything in /etc/dovecot.conf or by googling. How do I do it? Do I need to patch the source? I don't know about such a setting (but I don't know everything about Dovecot either!). Anyway, then it'd still the Dovecot process dealing with the rouge login attempts -- it seems better to keep them at the firewall level with the approach above. Regards - -- tomás -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFLj0psBcgs9XrR2kYRAnamAJ91pD60iJp8UDz/mwpoFE9cpHpdswCdGCYu Mj5he6OOYtP7wWbBWhUmiXQ= =QCJ2 -END PGP SIGNATURE-