Dear all, what are the key strategies for intrusion prevention and detection with dovecot, apart from installing fail2ban? It is a pity that the IMAP protocol does not support 2 factor authentication, which seems to stop 90% of intrusion attempts in their tracks. Without it, if someone has obtained your password and reads your mail without modifying it, you will hardly ever notice. Is there a reasonable way of detecting and preventing logins from unusual IP ranges? Or are there other strategies you would recommend? Cheers, Johannes -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20200422/567c6148/attachment.sig>
> On 22/04/2020 15:29 Johannes Rohr <johannes at rohr.org> wrote: > > > Dear all, > > what are the key strategies for intrusion prevention and detection with > dovecot, apart from installing fail2ban? > It is a pity that the IMAP protocol does not support 2 factor > authentication, which seems to stop 90% of intrusion attempts in their > tracks. Without it, if someone has obtained your password and reads your > mail without modifying it, you will hardly ever notice. > > Is there a reasonable way of detecting and preventing logins from > unusual IP ranges? Or are there other strategies you would recommend? > > Cheers, > > JohannesOne suggestion is to use dovecot's auth policy feature, which works with e.g. weakforced to apply such restrictions. Aki
My email server is set up for port 587. I block all email ports other than port 25 from countries that I will not be sending or receiving email. This is really only practical on a personal server. I also have a blocking file of data center IPs.? Port 25 is still open to the world but that has to be the case. Firewalls are a bit ram intensive but not CPU intensive. I am not saying this is perfect. Rather I have reduced the number of jerks that can access my email. Prior to running my own email server, I used a hosted service. I got hacked from an exploit in roundcube from Morocco. I don't use webmail and while I'm sure Morocco is a fine country, I don't need email access from there. This is why I now run my own email. ? Original Message ? From: johannes at rohr.org Sent: April 22, 2020 5:30 AM To: dovecot at dovecot.org Subject: Recommendations on intrusion prevention/detection? Dear all, what are the key strategies for intrusion prevention and detection with dovecot, apart from installing fail2ban? It is a pity that the IMAP protocol does not support 2 factor authentication, which seems to stop 90% of intrusion attempts in their tracks. Without it, if someone has obtained your password and reads your mail without modifying it, you will hardly ever notice. Is there a reasonable way of detecting and preventing logins from unusual IP ranges? Or are there other strategies you would recommend? Cheers, Johannes
Michael Peddemors
2020-Apr-22 16:14 UTC
Recommendations on intrusion prevention/detection?
On 2020-04-22 5:29 a.m., Johannes Rohr wrote:> Dear all, > > what are the key strategies for intrusion prevention and detection with > dovecot, apart from installing fail2ban? > It is a pity that the IMAP protocol does not support 2 factor > authentication, which seems to stop 90% of intrusion attempts in their > tracks. Without it, if someone has obtained your password and reads your > mail without modifying it, you will hardly ever notice. > > Is there a reasonable way of detecting and preventing logins from > unusual IP ranges? Or are there other strategies you would recommend? > > Cheers, > > Johannes > >For the record, there is a patch pending which would allow dovecot to support CLIENTID two factor authentication. https://github.com/dovecot/core/pull/86 (Please add your comments that you want to see this committed) Also, a very powerful tool is to implement country authentication restrictions on a per user basis. As well, make sure that you deprecate old fashioned POP/IMAP sending unencrypted login information. The three most common attack vectors, (and attack volumes have never been higher) are: * Sniffed unencrypted credentials (Assume every home wifi router and CPE equipment are compromised ;) * Re-used passwords where data is exposed from another site's breach (Users WANT to re-use passwords, this is where 2FA shines) * Weak Passwords (Users like using weak passwords, so implement password restrictions) Hackers are still brute forcing in incredible numbers, using the loosest 1012 passwords.. (or smaller subset of about 64 patterns) if you have a user with a <username|domain>NNNN password, a < 8 char numeric, or the one of the following, it is only a matter of time before it is compromised. 000000 111111 123123 123456 12345678 222222 333333 444444 555555 666666 696969 777777 888888 999999 abc123456 admin asdfgh asshole batman cheese fuckme fuckyou iloveu iloveyou letmein love master password princess P at ssw0rd qwerty secret sunshine superman trustno1 And of course, implement STRICT outbound rate limiters on all users. -- "Catch the Magic of Linux..." ------------------------------------------------------------------------ Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. ------------------------------------------------------------------------ 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
> On 22. Apr 2020, at 19.14, Michael Peddemors <michael at linuxmagic.com> wrote: > The three most common attack vectors, (and attack volumes have never been higher) are: > > * Sniffed unencrypted credentials > (Assume every home wifi router and CPE equipment are compromised ;) > * Re-used passwords where data is exposed from another site's breach > (Users WANT to re-use passwords, this is where 2FA shines) > * Weak Passwords > (Users like using weak passwords, so implement password restrictions)Actually by far the biggest source of stolen credentials is viruses/trojans harvesting them. Sami
On Wed, 22 Apr 2020, Johannes Rohr wrote:> It is a pity that the IMAP protocol does not support 2 factor > authentication, which seems to stop 90% of intrusion attempts in their > tracks.You could use VPN, which can enforce 2FA. You can hack 2FA into IMAP or any protocol where you can control the backend authenticator. It's easier with time-based OTP (TOTP) token generators. Authenticate using the usual username and the concatenation of (user-password)(otp-token), then invalidate the opt-token to foil replay-attacks. The backend will have to split the credentials into individual factors that can be checked separately.> Is there a reasonable way of detecting and preventing logins from > unusual IP ranges? Or are there other strategies you would recommend?Start by defining "unusual". Once you have a characterization of unusual, implement the detection. For example, - more than <n> failures? - attempt to authenticate to non-existent generic accounts e.g. "root"? - weird time of day? - authentication from implausible geographic regions? (e.g. Chad)? - logins from mutiple geolocation in short time frames? As the saying goes regarding the value of prevention vs cure, enforce good security habits for your users: password strength, endpoint malware protection, skepticism, etc. Joseph Tam <jtam.home at gmail.com>
On 22/04/2020 20.29, Johannes Rohr wrote:> Is there a reasonable way of detecting and preventing logins from > unusual IP ranges? Or are there other strategies you would recommend?I'd generally set up a short ban on logins originally, and then a second, longer ban for 'repeat offenders'. You basically look through the fail2ban log, and if an IP has been banned, say, 5 times in 24 hours, then you ban it for a much longer time. Here's one example. There are others. https://github.com/mitchellkrogza/Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning P. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: OpenPGP digital signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20200423/cd8f7da4/attachment.sig>