Udo Rader
2008-Dec-06 14:52 UTC
[Dovecot] catching authentication failures with LDAP backend
Hi,
we have recently been hit by a couple of brute force password attacks
against dovecot. So what I want to do now is to add dovecot to fail2ban
in order to block further attacks.
However, I don't seem to be able to find out password verifification
failures for our LDAP based user data.
The only thing I see are loads of lines like these in the logfiles:
-------CUT-------
dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=<ludovic>,
method=PLAIN, rip=217.147.235.52, lip=81.16.98.99
dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=<luna>,
method=PLAIN, rip=217.147.235.52, lip=81.16.98.99
dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=<luke>,
method=PLAIN, rip=217.147.235.52, lip=81.16.98.99
-------CUT-------
Googling the web I found that PAM based authentication obviously gives a
matchable error message, but for some reasons the ldap backend does not
- or does it?
Any pointers highly appreciated :-)
dovecot -n says this:
-------CUT-------
# 1.0.15: /etc/dovecot/dovecot.conf
log_path: /var/log/dovecot.log
protocols: imaps imap pop3
listen: 81.16.98.99
ssl_listen(default): 81.16.98.99
ssl_listen(imap): 81.16.98.99
ssl_listen(pop3):
ssl_cert_file: /etc/bestsolution/ssl/mail.bestsolution.at-cert.pem
ssl_key_file: /etc/bestsolution/ssl/mail.bestsolution.at-key.pem
ssl_parameters_regenerate: 24
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
first_valid_uid: 9
mail_access_groups: mail
mail_privileged_group: mail
default_mail_env: mbox:~/mail/:INBOX=/var/mail/%u
mail_location: mbox:~/mail/:INBOX=/var/mail/%u
mmap_disable: yes
lock_method: dotlock
maildir_copy_with_hardlinks: yes
mail_executable(default): /usr/lib/dovecot/imap
mail_executable(imap): /usr/lib/dovecot/imap
mail_executable(pop3): /usr/lib/dovecot/pop3
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
pop3_uidl_format(default):
pop3_uidl_format(imap):
pop3_uidl_format(pop3): %v.%u
auth default:
mechanisms: plain digest-md5 cram-md5 login
passdb:
driver: ldap
args: /etc/dovecot/dovecot-ldap.conf
userdb:
driver: ldap
args: /etc/dovecot/dovecot-ldap.conf
socket:
type: listen
client:
path: /var/spool/postfix/private/auth
mode: 432
user: postfix
group: postfix
-------CUT-------
--
Udo Rader, CTO
http://www.bestsolution.at
Udo Rader
2008-Dec-06 17:33 UTC
[Dovecot] catching authentication failures with LDAP backend
Udo Rader schrieb:> Hi, > > we have recently been hit by a couple of brute force password attacks > against dovecot. So what I want to do now is to add dovecot to fail2ban > in order to block further attacks. > > However, I don't seem to be able to find out password verifification > failures for our LDAP based user data. > > The only thing I see are loads of lines like these in the logfiles: > > -------CUT------- > dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=<ludovic>, > method=PLAIN, rip=217.147.235.52, lip=81.16.98.99 > dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=<luna>, > method=PLAIN, rip=217.147.235.52, lip=81.16.98.99 > dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=<luke>, > method=PLAIN, rip=217.147.235.52, lip=81.16.98.99 > -------CUT------- > > Googling the web I found that PAM based authentication obviously gives a > matchable error message, but for some reasons the ldap backend does not > - or does it? > > Any pointers highly appreciated :-)Solved it myself, adding changing to "auth_verbose = yes" in dovecot.conf solved it. Any reasons why this isn't enabled by default? -- Udo Rader, CTO http://www.bestsolution.at