Hi Guys, Running Dovecot 2 on my server. It is regularly getting dictionary auth attacked. What I have noticed is that once connected to a pop3/imap login session, you can send endless incorrect usernames+passwords attempts. This is a problem for me... I use fail2ban to try and stop these script kiddies. The problem is that fail2ban detects the bad auths, firewalls the IP, however, since it's an "established" session, the attacker can keep authing away... It's only on a subsequent (new) connection that the firewalling will take effect. Why is there no configuration option such as "max auth attempts per connection"? This would be useful, so once the limit is reached, the connection is dropped. is there a patch/workaround?
Robert Schetterer
2011-Aug-26 07:59 UTC
[Dovecot] limiting number of incorrect logins per connection
Am 26.08.2011 09:25, schrieb Alex:> Hi Guys, > > Running Dovecot 2 on my server. It is regularly getting dictionary auth > attacked. What I have noticed is that once connected to a pop3/imap > login session, you can send endless incorrect usernames+passwords > attempts. This is a problem for me... I use fail2ban to try and stop > these script kiddies. The problem is that fail2ban detects the bad > auths, firewalls the IP, however, since it's an "established" session, > the attacker can keep authing away... It's only on a subsequent (new) > connection that the firewalling will take effect. > > Why is there no configuration option such as "max auth attempts per > connection"? This would be useful, so once the limit is reached, the > connection is dropped. > > is there a patch/workaround? >there where equal questions in the past i.e read http://comments.gmane.org/gmane.mail.imap.dovecot/46204 -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
alex@ahhyes.net
2011-Aug-26 08:39 UTC
[Dovecot] limiting number of incorrect logins per connection
Hi, I saw that thread already, however it does not offer any solution that can be applied to dovecot directly. That thread has also been asleep for well over a year. It couldnt be that hard for the author to implement this function. It would only require a few lines of code. ----- Reply message ----- From: "Robert Schetterer" <robert at schetterer.org> Date: Fri, Aug 26, 2011 17:59 Subject: [Dovecot] limiting number of incorrect logins per connection To: <dovecot at dovecot.org> Am 26.08.2011 09:25, schrieb Alex:> Hi Guys, > > Running Dovecot 2 on my server. It is regularly getting dictionary auth > attacked. What I have noticed is that once connected to a pop3/imap > login session, you can send endless incorrect usernames+passwords > attempts. This is a problem for me... I use fail2ban to try and stop > these script kiddies. The problem is that fail2ban detects the bad > auths, firewalls the IP, however, since it's an "established" session, > the attacker can keep authing away... It's only on a subsequent (new) > connection that the firewalling will take effect. > > Why is there no configuration option such as "max auth attempts per > connection"? This would be useful, so once the limit is reached, the > connection is dropped. > > is there a patch/workaround? >there where equal questions in the past i.e read http://comments.gmane.org/gmane.mail.imap.dovecot/46204 -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Timo Sirainen
2011-Aug-26 08:44 UTC
[Dovecot] limiting number of incorrect logins per connection
On 26.8.2011, at 10.25, Alex wrote:> Running Dovecot 2 on my server. It is regularly getting dictionary auth attacked. What I have noticed is that once connected to a pop3/imap login session, you can send endless incorrect usernames+passwords attempts. This is a problem for me... I use fail2ban to try and stop these script kiddies. The problem is that fail2ban detects the bad auths, firewalls the IP, however, since it's an "established" session, the attacker can keep authing away... It's only on a subsequent (new) connection that the firewalling will take effect.Umm. If client hasn't managed to log in in 3 minutes, it's disconnected (no matter what it does with the connection).
alex@ahhyes.net
2011-Aug-27 02:18 UTC
[Dovecot] limiting number of incorrect logins per connection
Thanks for that. I will change it and recompile. Sorry for the grumpyness yesterday in my posts. Was having a bad day. Is there any chance of there being an option on future versions that allow a number of failed auth attempts to be specified before dropping the connection? The other thread you mentioned, I see someone devised a small patch in c to add this functionality. It didnt look like a lot of code to do it. What are your thoughts? ----- Reply message ----- From: "Timo Sirainen" <tss at iki.fi> Date: Sat, Aug 27, 2011 02:30 Subject: [Dovecot] limiting number of incorrect logins per connection To: "Alex" <alex at ahhyes.net> Cc: <dovecot at dovecot.org> login-common/client-common.h : #define CLIENT_LOGIN_TIMEOUT_MSECS (MASTER_LOGIN_TIMEOUT_SECS*1000) So set it to (45*60*1000) But I don't think there's much of a practical difference between these. On 26.8.2011, at 12.07, Alex wrote:> 3 minutes! I think that's too long, how can I drop that down to about 45 seconds? > > > On Fri, 26 Aug 2011 11:44:45 +0300, Timo Sirainen wrote: >> On 26.8.2011, at 10.25, Alex wrote: >> >>> Running Dovecot 2 on my server. It is regularly getting dictionary auth attacked. What I have noticed is that once connected to a pop3/imap login session, you can send endless incorrect usernames+passwords attempts. This is a problem for me... I use fail2ban to try and stop these script kiddies. The problem is that fail2ban detects the bad auths, firewalls the IP, however, since it's an "established" session, the attacker can keep authing away... It's only on a subsequent (new) connection that the firewalling will take effect. >> >> Umm. If client hasn't managed to log in in 3 minutes, it's >> disconnected (no matter what it does with the connection). >