subject:"Re\: Spam Blocking by filtering on username \/ id"

Re: Spam Blocking by filtering on username / id

2019-09-25 Thread Joseph Tam via dovecot


On Wed, 25 Sep 2019, Plutocrat wrote:


On 23/09/2019 4:13 PM, Bernd Petrovitsch via dovecot wrote:

It's not directly a solution within dovecot but "fail2ban" exists.


Yes, I have fail2ban, but that bans based on IP address.  And most mail
password attacks these days are distributed, and although fail2ban will
try to spot them it doesn't do a very good job.  I thought denying any
logins without the @domain.com part would be an additional layer.  I
understand that there's no way these attempts could log in, its just
that there are so many attempts logged, that it fills up 90% of my logs
with noise, and prevents me from seeing the other important events.


Are users able to login without the @domain part?


No.  All valid mail accounts are in the form u...@domain.com


There is also sshguard that will do the same thing.  One of these
should probably be running anyway as they help mitigate issues where
someone keep hammering on your system, however in the days of DDOS,
they are less helpful than they used to be.


I'll take a look at sshguard, although it looks like its retroactive
too: it waits for the events to be logged and then bans based on what
it finds in the logs.  I was intending to do something more proactive,
at the dovecot layer, and ideally just silently drop them.  Or throw
the attempts into a different log perhaps.  Just thinking out loud at
this point.  For the sake of completeness, there's also my personal
favourite, CSF, which in my opinion does a better job than fail2ban,
but still not exactly what I envisaged. 


you can add username_filter = *@domain.com or deny-passdb before
actual passdb with username_filter = !*@domain.com
https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/


You have 2 distinct issues: security, and voluminous logging.

As you've already stated, it's not a security issue: adding dovecot
configuration won't make your system more resistant to brute
forcing.  It may also exacrabate the logging issue.

It seems to me from reading your description that you want to either 1)
find some way to squelch log enties, either by filtering, or perhaps by
aggregation, or 2) trigger a blocking upstream of dovecot (e.g. fail2ban
=> add IP block to local firewall) and relegating it to another access
control mechanism that you better handle voluminous logging.

For distributed BFD, you probably can't pre-empt them, so if even one
attempt per IP is too much to log, you may have to do both.

Joseph Tam

Re: Spam Blocking by filtering on username / id

2019-09-24 Thread Plutocrat via dovecot

Hi,

Sorry for the delay in replying. Been having a few mail problems ironically! 
Gmail smtp server stopped working! 

On 23/09/2019 4:13 PM, Bernd Petrovitsch via dovecot wrote:
> It's not directly a solution within dovecot but "fail2ban" exists.

Yes, I have fail2ban, but that bans based on IP address. And most mail password 
attacks these days are distributed, and although fail2ban will try to spot them 
it doesn't do a very good job. I thought denying any logins without the 
@domain.com part would be an additional layer. I understand that there's no way 
these attempts could log in, its just that there are so many attempts logged, 
that it fills up 90% of my logs with noise, and prevents me from seeing the 
other important events. 

> Are users able to login without the @domain part?

No. All valid mail accounts are in the form u...@domain.com 

> There is also sshguard that will do the same thing.
> One of these should probably be running anyway as they help mitigate issues 
> where someone keep hammering on your system, however in the days of DDOS, 
> they are less helpful than they used to be.

I'll take a look at sshguard, although it looks like its retroactive too: it 
waits for the events to be logged and then bans based on what it finds in the 
logs. I was intending to do something more proactive, at the dovecot layer, and 
ideally just silently drop them. Or throw the attempts into a different log 
perhaps. Just thinking out loud at this point. 
For the sake of completeness, there's also my personal favourite, CSF, which in 
my opinion does a better job than fail2ban, but still not exactly what I 
envisaged. 

> you can add username_filter = *@domain.com
> or deny-passdb before actual passdb with username_filter = !*@domain.com
> https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/

This is more like what I had in mind. Let me try this out and I'll report back. 

P.

Re: Spam Blocking by filtering on username / id

2019-09-24 Thread Sami Ketola via dovecot



> On 23 Sep 2019, at 8.29, Plutocrat via dovecot  wrote:
> 
> This is probably quite an easy question, but I haven't been able to find the 
> answer. I'm running a server where all the email addresses are in the format 
> "u...@domain.com". I've noticed that a large number of fake login attempts 
> use the format "user" eg. reception, service, root, admin. 
> 
> Is it possible to prevent any such logins to these email users without an 
> @domain.com? Or maybe ignore them. Or drop them from the logging. 
> 
> P.

you can add username_filter = *@domain.com

or deny-passdb before actual passdb with username_filter = !*@domain.com

https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/
 


feature has existed since dovecot 2.2.30

Sami

Re: Spam Blocking by filtering on username / id

2019-09-24 Thread @lbutlr via dovecot

On Sep 22, 2019, at 11:29 PM, Plutocrat  wrote:
> This is probably quite an easy question, but I haven't been able to find the 
> answer. I'm running a server where all the email addresses are in the format 
> "u...@domain.com". I've noticed that a large number of fake login attempts 
> use the format "user" eg. reception, service, root, admin. 
> 
> Is it possible to prevent any such logins to these email users without an 
> @domain.com?

Are users able to login without the @domain part?

> Or maybe ignore them. Or drop them from the logging. 

As Bernd said, fail2ban will ban these Its from repeatedly trying to login, but 
they will still be logged.

There is also sshguard that will do the same thing.

One of these should probably be running anyway as they help mitigate issues 
where someone keep hammering on your system, however in the days of DDOS, they 
are less helpful than they used to be.

-- 
MEGAHAL: within my penguin lies a torrid story of hate and love.

Re: Spam Blocking by filtering on username / id

2019-09-23 Thread Bernd Petrovitsch via dovecot

On 23/09/2019 07:29, Plutocrat via dovecot wrote:
> This is probably quite an easy question, but I haven't been able to
> find the answer. I'm running a server where all the email addresses
> are in the format "u...@domain.com". I've noticed that a large number
> of fake login attempts use the format "user" eg. reception, service,
> root, admin. 
> > Is it possible to prevent any such logins to these email users
> > without
an @domain.com? Or maybe ignore them. Or drop them from the logging.

It's not directly a solution within dovecot but "fail2ban" exists.

MfG,
Bernd
-- 
Bernd Petrovitsch  Email : be...@petrovitsch.priv.at
 LUGA : http://www.luga.at

Re: Spam Blocking by filtering on username / id

Re: Spam Blocking by filtering on username / id

Re: Spam Blocking by filtering on username / id

Re: Spam Blocking by filtering on username / id

Re: Spam Blocking by filtering on username / id

5 matches

Site Navigation

Mail list logo

Footer information