Re: Log authentication attempts
You might be interested on using https://github.com/PowerDNS/weakforced which is intended for deterring brute force attacks on clustered setups. Logging auth attemps with auth policy API requires you run some web service that will perform the logging. Aki > On June 12, 2017 at 5:58 PM "j.emerlik"wrote: > > > I need to save that to database because I have more then one mail server > and them must share each other failed login attempts information. > I'll try check how Dovecot Authentication Policy works. > > --JAcek > > 2017-06-12 16:50 GMT+02:00 Leonardo Rodrigues : > > > Em 12/06/17 09:39, j.emerlik escreveu: > > > >> Failed login attempts information may be useful in the > >> fight with bruteforce attacks. > >> > >> > > fail2ban is your friend, it can analyze the logs, no need for saving > > that on database. > > > > > > -- > > > > > > Atenciosamente / Sincerily, > > Leonardo Rodrigues > > Solutti Tecnologia > > http://www.solutti.com.br > > > > Minha armadilha de SPAM, NÃO mandem email > > gertru...@solutti.com.br > > My SPAMTRAP, do not email it > >
Re: Log authentication attempts
I need to save that to database because I have more then one mail server and them must share each other failed login attempts information. I'll try check how Dovecot Authentication Policy works. --JAcek 2017-06-12 16:50 GMT+02:00 Leonardo Rodrigues: > Em 12/06/17 09:39, j.emerlik escreveu: > >> Failed login attempts information may be useful in the >> fight with bruteforce attacks. >> >> > fail2ban is your friend, it can analyze the logs, no need for saving > that on database. > > > -- > > > Atenciosamente / Sincerily, > Leonardo Rodrigues > Solutti Tecnologia > http://www.solutti.com.br > > Minha armadilha de SPAM, NÃO mandem email > gertru...@solutti.com.br > My SPAMTRAP, do not email it >
Re: Log authentication attempts
Em 12/06/17 09:39, j.emerlik escreveu: Failed login attempts information may be useful in the fight with bruteforce attacks. fail2ban is your friend, it can analyze the logs, no need for saving that on database. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it
Re: Log authentication attempts
>> On June 12, 2017 at 3:39 PM "j.emerlik"wrote: >> We alse have same problem, now we are running Dovecot 2.2.30.2 and also use >> Dovecot SASL for SMTP authentication (postfix 2.11). >> We need to save all failed login attempts to database as source IP address, >> username and date and time but post-login script can do this but only after >> successful login. Failed login attempts information may be useful in the >> fight with bruteforce attacks. >> It's possible to execude some script after failed login ("Password >> mismatch") ? >> Regards, >> Jacek AT> You can try to do this using our auth policy API. See AT> https://wiki2.dovecot.org/Authentication/Policy If you do get this working [logging failed auth's] I'd personally be very interested in your script so we could reproduce it in our environment too. If you'd be willing to share, I'd be grateful. [I'm pretty sure others would be too.] -Greg
Re: Log authentication attempts
> On June 12, 2017 at 3:39 PM "j.emerlik"wrote: > > > We alse have same problem, now we are running Dovecot 2.2.30.2 and also use > Dovecot SASL for SMTP authentication (postfix 2.11). > We need to save all failed login attempts to database as source IP address, > username and date and time but post-login script can do this but only after > successful login. Failed login attempts information may be useful in the > fight with bruteforce attacks. > It's possible to execude some script after failed login ("Password > mismatch") ? > > Regards, > Jacek You can try to do this using our auth policy API. See https://wiki2.dovecot.org/Authentication/Policy It will report both successful and unsuccessful authentication with fields you specify. Aki
Re: Log authentication attempts
We alse have same problem, now we are running Dovecot 2.2.30.2 and also use Dovecot SASL for SMTP authentication (postfix 2.11). We need to save all failed login attempts to database as source IP address, username and date and time but post-login script can do this but only after successful login. Failed login attempts information may be useful in the fight with bruteforce attacks. It's possible to execude some script after failed login ("Password mismatch") ? Regards, Jacek
Re: Log authentication attempts
> On January 25, 2017 at 12:24 AM Joseph Tamwrote: > > > On 24.01.2017 00:06, rej ex wrote: > > > Because we are building some monitoring application, we will need to > > record all failed and successful login attempts. We need to record > > remote IP, entered password in plain text, and if possible whether auth > > request is for SMTP or IMAP session. > > SMTP? Wouldn't that be handled by your MTA, not Dovecot? > > AKi Tuomi wrote: > > > Since 2.2.27 we've had auth policy server support which can do this > > properly. > > As I read the docs, the auth policy server would only get the hashed > password, and > wouldn't be able to record the plaintext password. > > Maybe use the checkpassword hook? > > http://wiki.dovecot.org/AuthDatabase/CheckPassword > > Joseph Tam So it would seem if you don't read it carefully. auth_policy_request_attributes: Request attributes specification (see attributes section below) Default: auth_policy_request_attributes = login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip} I invite you to consider what would happen if you were to replace %{hashed_password} with %{password}? Aki
Re: Log authentication attempts
On 24.01.2017 00:06, rej ex wrote: Because we are building some monitoring application, we will need to record all failed and successful login attempts. We need to record remote IP, entered password in plain text, and if possible whether auth request is for SMTP or IMAP session. SMTP? Wouldn't that be handled by your MTA, not Dovecot? AKi Tuomi wrote: Since 2.2.27 we've had auth policy server support which can do this properly. As I read the docs, the auth policy server would only get the hashed password, and wouldn't be able to record the plaintext password. Maybe use the checkpassword hook? http://wiki.dovecot.org/AuthDatabase/CheckPassword Joseph Tam
Re: Log authentication attempts
Since 2.2.27 we've had auth policy server support which can do this properly. Aki On 24.01.2017 00:06, rej ex wrote: > Hi everyone, > > We are running Dovecot 2.2.9 as a primary IMAP server. Also we use Dovecot > SASL for SMTP authentication. > > Because we are building some monitoring application, we will need to record > all failed and successful login attempts. We need to record remote IP, > entered password in plain text, and if possible whether auth request is for > SMTP or IMAP session. > > I checked http://wiki.dovecot.org/PostLoginScripting and noticed that > post-login scripts are executed only after result_success, but not after > result_failure (password mismatch). > > Also I read http://wiki.dovecot.org/PasswordDatabase where I saw that since > version 2.2.10 it is possible to control what happens after passdb check, but > allowed result values don't include executing custom script. > > Does anyone know a way to call external binary / script, or at least save a > record in the database after login attempt without reading the log files? > > P.S. there is also a special case. When someone logs in from webmail, remote > IP is set to webmail's server. In this case, we will log the attempt from the > webmail itself, because it has the correct remote IP. > > Robin Wood