Hi new to the list, but we are a long time user of Dovecot via DirectAdmin control panel. We, like everyone else, are seeing an increase in dictionary attacks of POP/IMAP. We want to block them. I've searched the mailing list and found a few recommended fail2ban, which really won't work for our case. We need to do this over many machines and not one or two. We also like to gather info at the network wide level. Hackers know about attacking specific server/ips too often and we've seen much more distributed attacks that go under the radar of one server monitoring setup. We've designed our own system and use a local RBL to distribute the blocked IPs. For ftp and ssh attacks it's worked very well. We would like to use the RBL to do the same with dovecot.>From my research it appears the best way to do this (and only currently) iswith the checkpassword option. I haven't gotten it to work yet. We have: passdb checkpassword { args = /usr/local/bin/checkpassword deny = yes } As the first auth.. This should reject the connection if the IP matches. checkpassword can see TCPREMOTEIP enviornmental variable. In the checkpassword script we have: #!/usr/bin/perl sub read_uinfo { my($user,$passwd,$apop_ts); open X,"<&=3" or exit 111; $_ = <X>; # ugly; should use sysread instead ($user,$passwd,$apop_ts) = /^(.*)\0(.*)\0(.*)\0/; while (<X>) {}; close X; return ($user,$passwd,$apop_ts); } ($user,$passwd,$apop_ts)=$debug?(shift,shift,shift):read_uinfo; $ipaddr=$ENV{TCPREMOTEIP}; $result=system("/usr/sbin/checkdnsbl $ipaddr"); if ( $result == 0) { @ENV{"SHELL","USER","HOME"} = ($shell,$user,$home); exit 0; } else { exit 1; } My questions are as follows: - Can the deny = yes be used with checkpassword? - What am I doing wrong with the script? It should reject only the connections that are in the RBL. It blocks all -L -- Larry Ludwig Empowering Media 1-866-792-0489 x600 Managed and Unmanaged Xen VPSes http://www.hostcube.com/
> ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 15 Jun 2008 19:04:05 -0400 > From: "Larry Ludwig" <larrylud at gmail.com> > Subject: [Dovecot] Using checkpassword to block ips? > To: <dovecot at dovecot.org> > Message-ID: <000601c8cf3c$1cd11130$0605a8c0 at tank> > Content-Type: text/plain; charset="us-ascii" > > Hi new to the list, but we are a long time user of Dovecot > via DirectAdmin > control panel. > > We, like everyone else, are seeing an increase in dictionary > attacks of > POP/IMAP. We want to block them. > > I've searched the mailing list and found a few recommended > fail2ban, which > really won't work for our case. We need to do this over many > machines and > not one or two. We also like to gather info at the network > wide level. > Hackers know about attacking specific server/ips too often > and we've seen > much more distributed attacks that go under the radar of one server > monitoring setup. > > We've designed our own system and use a local RBL to > distribute the blocked > IPs. For ftp and ssh attacks it's worked very well. We > would like to use > the RBL to do the same with dovecot. > > >From my research it appears the best way to do this (and > only currently) is > with the checkpassword option. I haven't gotten it to work > yet. We have: > > passdb checkpassword { > args = /usr/local/bin/checkpassword > deny = yes > } > > As the first auth.. This should reject the connection if the > IP matches. > checkpassword can see TCPREMOTEIP enviornmental variable. > > In the checkpassword script we have: > > #!/usr/bin/perl > > sub read_uinfo { > my($user,$passwd,$apop_ts); > open X,"<&=3" or exit 111; > $_ = <X>; > # ugly; should use sysread instead > ($user,$passwd,$apop_ts) = /^(.*)\0(.*)\0(.*)\0/; > while (<X>) {}; > close X; > return ($user,$passwd,$apop_ts); > } > > ($user,$passwd,$apop_ts)=$debug?(shift,shift,shift):read_uinfo; > > $ipaddr=$ENV{TCPREMOTEIP}; > $result=system("/usr/sbin/checkdnsbl $ipaddr"); > if ( $result == 0) { > @ENV{"SHELL","USER","HOME"} = ($shell,$user,$home); > exit 0; > } > else { > exit 1; > } > > My questions are as follows: > - Can the deny = yes be used with checkpassword? > - What am I doing wrong with the script? It should reject only the > connections that are in the RBL. It blocks all >Bump.. No one can help with this setup or issue? -L -- Larry Ludwig Empowering Media 1-866-792-0489 x600 Managed and Unmanaged Xen VPSes http://www.hostcube.com/
On Sun, 2008-06-15 at 19:04 -0400, Larry Ludwig wrote:> if ( $result == 0) { > @ENV{"SHELL","USER","HOME"} = ($shell,$user,$home); > exit 0; > } > else { > exit 1; > }1) If you want to allow the user, deny=yes passdb check must fail. So exit with 1 in that case. 2) With deny=yes Dovecot doesn't care about shell or home. USER is most likely also useless unless your check changes it. 3) If you want to block the user, the checkpassword must succeed. exit 0 doesn't mean success. You have to execute the checkpassword-reply binary as specified by http://wiki.dovecot.org/PasswordDatabase/CheckPassword -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20080619/a5d60291/attachment-0002.bin>
Timo Sirainen wrote:> On Sun, 2008-06-15 at 19:04 -0400, Larry Ludwig wrote: > >> if ( $result == 0) { >> @ENV{"SHELL","USER","HOME"} = ($shell,$user,$home); >> exit 0; >> } >> else { >> exit 1; >> } >> > > 1) If you want to allow the user, deny=yes passdb check must fail. So > exit with 1 in that case. > > 2) With deny=yes Dovecot doesn't care about shell or home. USER is most > likely also useless unless your check changes it. > > 3) If you want to block the user, the checkpassword must succeed. exit 0 > doesn't mean success. You have to execute the checkpassword-reply binary > as specified by http://wiki.dovecot.org/PasswordDatabase/CheckPassword > >OK thanks.. I'll look into this. -L -- Larry Ludwig Empowering Media 1-866-792-0489 x600 Managed and Unmanaged Xen VPSes http://www.hostcube.com/