dovecot - Apr 2020 - Recommendations on intrusion prevention/detection?

<div dir='auto'>Usually I use pfsense as main firewall with snort
blocking all kind of scans and others.<div
dir="auto"><br></div><div
dir="auto">Fail2ban triggering after 3 unsuccessful tries and for
last iptables if Linux or ipfw If Freebsd</div><div
dir="auto"><br></div><div
dir="auto">Keep pfsense synced with intrusion lists is an must
have.</div><div dir="auto"><br></div><div
dir="auto">And for last, bans are not temporary on my setup, are
forever, except if an real user after validate his info / data calls to unblock
him.<br><br><div data-smartmail="gmail_signature"
dir="auto">There's some guides around about deal with post
screen, but never get that working... RBL and spamhaus lists on mail server and
on DNS are another must have.</div><div
data-smartmail="gmail_signature"
dir="auto"><br></div><div
data-smartmail="gmail_signature" dir="auto">Good
luck<br><br>Atenciosamente,<br><br><br><br><br>Alexandre
Fernandes Pedrosa<br><br><br>-------<br>Visite:
https://alexandrepedrosa.com<br><br><br>PGP Key:
https://alexandrepedrosa.com/keys/0xE830E3336A873BE6.asc<br><br>Fingerprint:
4D63 0DEC FDA4 A8D3 DF75  94DB E830 E333 6A87 3BE6
<br><br><br>Esta mensagem incluindo seus anexos tem caráter
confidencial e seu conteúdo restrito ao destinatário da mensagem. Se você
recebeu esta mensagem por engano, queira por favor retornar o e-mail e apagá-la
de seus arquivos.<br><br>Qualquer uso não autorizado ou disseminação
desta mensagem ou parte dela é expressamente
proibido.<br><br><br>Note: "The contents of this e-mail
are confidential and may be privileged.<br><br>This e-mail is
intended for the exclusive use of the addressee(s) state
under.<br><br>If you are not the intended addressee, please contact
us immediately and delete this message from your computer, you should not copy
this e-mail or disclose its contents to any other
person."</div></div></div><div
class="gmail_extra"><br><div
class="gmail_quote">Em 22 de abr de 2020 09:29, Johannes Rohr
<johannes@rohr.org> escreveu:<br type="attribution"
/><blockquote class="quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><p
dir="ltr">Dear all,
<br>

<br>
what are the key strategies for intrusion prevention and detection with
<br>
dovecot, apart from installing fail2ban?
<br>
It is a pity that the IMAP protocol does not support 2 factor
<br>
authentication, which seems to stop 90% of intrusion attempts in their
<br>
tracks. Without it, if someone has obtained your password and reads your
<br>
mail without modifying it, you will hardly ever notice.
<br>

<br>
Is there a reasonable way of detecting and preventing logins from
<br>
unusual IP ranges? Or are there other strategies you would recommend?
<br>

<br>
Cheers,
<br>

<br>
Johannes
<br>

<br>

<br>
</p>
</blockquote></div><br></div>

I have PFSense too and it rocks! 
> On Apr 22, 2020, at 14:52, byalefp at yahoo.com.br wrote:
> 
> Usually I use pfsense as main firewall with snort blocking all kind of
scans and others.
> 
> Fail2ban triggering after 3 unsuccessful tries and for last iptables if
Linux or ipfw If Freebsd
> 
> Keep pfsense synced with intrusion lists is an must have.
> 
> And for last, bans are not temporary on my setup, are forever, except if an
real user after validate his info / data calls to unblock him.
> 
> There's some guides around about deal with post screen, but never get
that working... RBL and spamhaus lists on mail server and on DNS are another
must have.
> 
> Good luck
> 
> Atenciosamente,
> 
> 
> 
> 
> Alexandre Fernandes Pedrosa
> 
> 
> -------
> Visite: https://alexandrepedrosa.com
> 
> 
> PGP Key: https://alexandrepedrosa.com/keys/0xE830E3336A873BE6.asc
> 
> Fingerprint: 4D63 0DEC FDA4 A8D3 DF75  94DB E830 E333 6A87 3BE6 
> 
> 
> Esta mensagem incluindo seus anexos tem car?ter confidencial e seu conte?do
restrito ao destinat?rio da mensagem. Se voc? recebeu esta mensagem por engano,
queira por favor retornar o e-mail e apag?-la de seus arquivos.
> 
> Qualquer uso n?o autorizado ou dissemina??o desta mensagem ou parte dela ?
expressamente proibido.
> 
> 
> Note: "The contents of this e-mail are confidential and may be
privileged.
> 
> This e-mail is intended for the exclusive use of the addressee(s) state
under.
> 
> If you are not the intended addressee, please contact us immediately and
delete this message from your computer, you should not copy this e-mail or
disclose its contents to any other person."
> 
> Em 22 de abr de 2020 09:29, Johannes Rohr <johannes at rohr.org>
escreveu:
> Dear all,
> 
> what are the key strategies for intrusion prevention and detection with
> dovecot, apart from installing fail2ban?
> It is a pity that the IMAP protocol does not support 2 factor
> authentication, which seems to stop 90% of intrusion attempts in their
> tracks. Without it, if someone has obtained your password and reads your
> mail without modifying it, you will hardly ever notice.
> 
> Is there a reasonable way of detecting and preventing logins from
> unusual IP ranges? Or are there other strategies you would recommend?
> 
> Cheers,
> 
> Johannes
> 
> 
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20200422/a20a3dff/attachment.html>

On 2020-04-22 2:52 p.m., byalefp at yahoo.com.br wrote:
> Usually I use pfsense as main firewall with snort blocking all kind of 
> scans and others.
> 
> Fail2ban triggering after 3 unsuccessful tries and for last iptables if 
> Linux or ipfw If Freebsd
> 
> Keep pfsense synced with intrusion lists is an must have.
> 
> And for last, bans are not temporary on my setup, are forever, except if 
> an real user after validate his info / data calls to unblock him.
> 
> There's some guides around about deal with post screen, but never get 
> that working... RBL and spamhaus lists on mail server and on DNS are 
> another must have.
> 
> Good luck
> 
> Atenciosamente,
Just one comment.. permanent iptables bans on SSL/TLS authentication 
ports is no longer a viable option, eg.. you would not want to block the 
airports's IP, just because one person had an infection on his laptop..

Carrier Grade NAT, WIFI hotspots etc all would be affected.

Long term, move towards 2FA, short term block specific user auth/IP 
combinations, but that won't happen in iptables.. Our case it is 
proprietary methods, but using a memcache entry is a highly scalable way 
to record suspicious login attempts with enough information so that you 
only block the attacker, and not the IP for varying lengths of time.

Or as mentioned, temp blocking with fail2ban is an option that is 
workable and easy for most people.



-- 
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices
Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.