Re: [Dovecot] Logging passwords on auth failure/dealing with botnets

2013-09-21 Thread Timo Sirainen
On 30.8.2013, at 20.54, Michael Smith (DF) msm...@datafoundry.com wrote: We're already running fail2ban, but it doesn't seem that effective against botnets, when they only do one attempt per IP. Add that on top of load balancing between many servers... We've setup some rules to help, but

Re: [Dovecot] Logging passwords on auth failure/dealing with botnets

2013-09-03 Thread Charles Marcus
On 2013-09-02 5:11 PM, Noel noeld...@gmail.com wrote: It would be a lot easier to deploy if some sort of blocker were built into dovecot -- after X number of failures during Y seconds, fail all future attempts for the account for T seconds. But again, totally blocking all AUTH attempts like

Re: [Dovecot] Logging passwords on auth failure/dealing with botnets

2013-09-03 Thread Noel
On 9/3/2013 5:12 AM, Charles Marcus wrote: Ummm... maybe you didn't read what I wrote? That is what I meant by 'whitelist' in item 1... ;) Yes, I think we're on the same page. On 2013-09-02 9:59 PM, ot...@ahhyes.net ot...@ahhyes.net wrote: Is there anyway to limit the number of auth

Re: [Dovecot] Logging passwords on auth failure/dealing with botnets

2013-09-02 Thread Stan Hoeppner
On 9/1/2013 2:59 PM, Noel wrote: On 9/1/2013 10:00 AM, Charles Marcus wrote: ... Wonder if there's a way to leverage Stan Hoeppner's most excellent botnet killer to reject AUTHs from the same types of clients before they even try? The objective of Stan's list is to reject dynamic hosts,

Re: [Dovecot] Logging passwords on auth failure/dealing with botnets

2013-09-02 Thread Charles Marcus
On 2013-09-01 3:59 PM, Noel noeld...@gmail.com wrote: The objective of Stan's list is to reject dynamic hosts, because the overwhelming majority of dynamic hosts trying to send via SMTP are zombies. For dovecot, the situation is quite different. Blocking all dynamic IPs would be an obvious

Re: [Dovecot] Logging passwords on auth failure/dealing with botnets

2013-09-02 Thread Charles Marcus
On 2013-09-02 4:12 AM, Stan Hoeppner s...@hardwarefreak.com wrote: As others have suggested this seems a log clutter issue, nothing more. Well, it would be nice to have some way to stop brute force attacks (rather than just letting one run rampant until the attacker gives up) - ie, attempted

Re: [Dovecot] Logging passwords on auth failure/dealing with botnets

2013-09-02 Thread Charles Marcus
On 2013-09-02 9:35 AM, Charles Marcus cmar...@media-brokers.com wrote: Well, it would be nice to have some way to stop brute force attacks (rather than just letting one run rampant until the attacker gives up) And I left out the obvious ... or worst case, is successful ... - which obviously

Re: [Dovecot] Logging passwords on auth failure/dealing with botnets

2013-09-02 Thread Noel
On 9/2/2013 8:35 AM, Charles Marcus wrote: 2. A blacklist that when triggered (x failed login attempts in x seconds), doesn't try to block the IP, but rather prevents login attempts for that user account from even reaching the AUTH stage - *unless* the IP in question is in the whitelist. The

Re: [Dovecot] Logging passwords on auth failure/dealing with botnets

2013-09-01 Thread Charles Marcus
On 2013-08-30 7:55 PM, Joseph Tam jtam.h...@gmail.com wrote: Michael Smith writes: We're already running fail2ban, but it doesn't seem that effective against botnets, when they only do one attempt per IP. Yeah, distributed BFDs are tough to block unless you can characterize the clients well.

Re: [Dovecot] Logging passwords on auth failure/dealing with botnets

2013-09-01 Thread LuKreme
On 01 Sep 2013, at 09:00 , Charles Marcus cmar...@media-brokers.com wrote: On 2013-08-30 7:55 PM, Joseph Tam jtam.h...@gmail.com wrote: Michael Smith writes: We're already running fail2ban, but it doesn't seem that effective against botnets, when they only do one attempt per IP. Yeah,

Re: [Dovecot] Logging passwords on auth failure/dealing with botnets

2013-09-01 Thread Noel
On 9/1/2013 10:00 AM, Charles Marcus wrote: On 2013-08-30 7:55 PM, Joseph Tam jtam.h...@gmail.com wrote: Michael Smith writes: We're already running fail2ban, but it doesn't seem that effective against botnets, when they only do one attempt per IP. Yeah, distributed BFDs are tough to block

Re: [Dovecot] Logging passwords on auth failure/dealing with botnets

2013-08-30 Thread Michael Smith (DF)
hundreds of thousands of spam. -Original Message- From: dovecot-boun...@dovecot.org [mailto:dovecot-boun...@dovecot.org] On Behalf Of Joseph Tam Sent: Thursday, August 22, 2013 11:30 PM To: dovecot@dovecot.org Subject: Re: [Dovecot] Logging passwords on auth failure/dealing with botnets

Re: [Dovecot] Logging passwords on auth failure/dealing with botnets

2013-08-30 Thread Joseph Tam
Michael Smith writes: We're already running fail2ban, but it doesn't seem that effective against botnets, when they only do one attempt per IP. Yeah, distributed BFDs are tough to block unless you can characterize the clients well. That leaves us back to getting dovecot to log the tried

[Dovecot] Logging passwords on auth failure/dealing with botnets

2013-08-22 Thread Michael Smith (DF)
Hi, Since upgrading our mail servers to Postfix/Dovecot, we've seen a rather large increase in botnet brute force password attacks. I guess our old servers were too slow to suit their needs. Now, when they hit upon a valid user, it's easy to see what passwords they are trying (we've enabled

Re: [Dovecot] Logging passwords on auth failure/dealing with botnets

2013-08-22 Thread /dev/rob0
On Thu, Aug 22, 2013 at 04:16:51PM +, Michael Smith (DF) wrote: Or another option, is there any good DNS based RBLs for botnet IPs, and is there any way to tie that in to the dovecot auth system? I've been looking for botnet rbls, but what I've found so far doesn't seem to work very

Re: [Dovecot] Logging passwords on auth failure/dealing with botnets

2013-08-22 Thread dovecotmail
Have you or anyone else tried fail2ban? I haven't had any break-in attempts since going to Dovecot yet, But with qpopper it didn't work very well unless it hit an actual user on the server. Then it would block the IP for a predetermined set amount of hits on that username then it block for the

Re: [Dovecot] Logging passwords on auth failure/dealing with botnets

2013-08-22 Thread Joseph Tam
Michael Smith (DF) writes: Or another option, is there any good DNS based RBLs for botnet IPs, and is there any way to tie that in to the dovecot auth system? I've been looking for botnet rbls, but what I've found so far doesn't seem to work very well. Most of the IPs that I've had to firewall