Hi Everyone, Before I begin, I'd just like to mention: I love dovecot. Thank you :) Anyway, today I had 8000 login attempts to my dovecot server in an hour before blocking the IP with my firewall. After googling, I didn't see very much discussion on the topic. There was some mention of blocksshd which was supposed to support dovecot in the next release (but doesn't appear to) and also fail2ban. While a script that parses logfiles will work, I'm not sure that this is the best way to go about handling repeated authentication failure. Would it not be best built into dovecot? Are there any plans for this? Best Regards, Ben Cadieux
On Thu, 20 Dec 2007, Ben Cadieux wrote:> Hi Everyone, > > Before I begin, I'd just like to mention: I love dovecot. Thank you :) > > Anyway, today I had 8000 login attempts to my dovecot server in an > hour before blocking the IP with my firewall. > > After googling, I didn't see very much discussion on the topic. There > was some mention of blocksshd which was supposed to support dovecot in > the next release (but doesn't appear to) and also fail2ban. While a > script that parses logfiles will work, I'm not sure that this is the > best way to go about handling repeated authentication failure. > > Would it not be best built into dovecot? [...] >I'd vote "no", with the caveat that I don't use any of these tools. Parsing logfiles might make it more brittle, but it also allows the tool to protect many services in a generic way. I don't want to have to protect against DOS or dictionary attacks for Apache, VSFTP, dovecot, sshd, PostgreSQL, and whatever else in different config files. It'd be best to handle that one layer up. Doing it outside of dovecot even allows correlations to be made (e.g. ban sooner if the same IP is trying to break both SSH and FTP). Don't know if the tools *do* this, but still. That's my 2?, Ben Haskell
> Hi Everyone, > > Before I begin, I'd just like to mention: I love dovecot. Thank you :) > > Anyway, today I had 8000 login attempts to my dovecot server in an > hour before blocking the IP with my firewall. > > After googling, I didn't see very much discussion on the topic. There > was some mention of blocksshd which was supposed to support dovecot in > the next release (but doesn't appear to) and also fail2ban. While a > script that parses logfiles will work, I'm not sure that this is the > best way to go about handling repeated authentication failure. > > Would it not be best built into dovecot? Are there any plans for this?I agree, it would be great to have this built into dovecot. Spammers are getting more creative all the time and are not above using brute force to steal passwords to send spam. Matt
On 12/20/2007, Matt (lm7812 at gmail.com) wrote:> I agree, it would be great to have this built into dovecot. Spammers > are getting more creative all the time and are not above using brute > force to steal passwords to send spam.But something like fail2ban will work system wide... -- Best regards, Charles
On Thu, 2007-12-20 at 12:28 -0800, Ben Cadieux wrote:> Would it not be best built into dovecot? Are there any plans for this?It would be nice if it could be done with Dovecot, but I think it'll have to wait to v2.0. There this could be done with for example a dovecot-auth proxy. The proxy could be done with v1.x too, but it probably gets a bit tricky to get the UNIX sockets created into right places, most likely requiring adding ugly hacks to sources.. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20071221/f2d6a558/attachment-0002.bin>
> Anyway, today I had 8000 login attempts to my dovecot server in an > hour before blocking the IP with my firewall. > > After googling, I didn't see very much discussion on the topic. There > was some mention of blocksshd which was supposed to support dovecot in > the next release (but doesn't appear to) and also fail2ban. While a > script that parses logfiles will work, I'm not sure that this is the > best way to go about handling repeated authentication failure.Cursory scan in the FreeBSD ports tree: bruteblock for ipfw bruteforceblocker for pf mostly aimed at ssh or ftp brute force blocking ... -bryan bradsby DIR Capnet Texas State Government Net NOC: 512-475-2432 877-472-4848