dovecot - Jun 2009 - Dovecot under brute force attack - nice attacker

Hi List, 

optimizing the configuration on one of our servers (which was
hit by a brute force attack on dovecot) showed an odd behavior. 

Dovecot Version 1.0.7 (CentOS 5.2)

The short story:
On one of our servers an attacker did a brute force 
attack on dovecot (pop3). 
Since the attacker closed and reopened the connection 
after every user/password combination the logs showed 
many lines like this:
dovecot: pop3-login: Aborted login: user=<test>,......

The problem:
If the attacker wouldn't have closed and reopened the connection
no log would have been generated and he/she would have endless 
tries. Not even an iptables/hashlimit or fail2ban would have kicked in.

How to reproduce:
telnet dovecot-server pop3
user test
pass test1
user test
pass test2
...
QUIT
->Only the last try gets logged.

If I enable auth_verbose every attempt gets logged, but if I read the
docs correctly this option should only be used for figuring out why
authentication isn't working.

Question: 
Is there any way to close the connection after the 
first wrong user/pass combination. So an attacker would be forced 
to reopen it?
This would be perfect since an easy iptables/hashlimit would avoid 
such a brute force attack. 

Any other Ideas?
Henry

On Thu, 2009-06-04 at 12:16 +0200, henry ritzlmayr wrote:
> Hi List, 
> 
> optimizing the configuration on one of our servers (which was
> hit by a brute force attack on dovecot) showed an odd behavior. 
> 
> Dovecot Version 1.0.7 (CentOS 5.2)
> 
> The short story:
> On one of our servers an attacker did a brute force 
> attack on dovecot (pop3). 
> Since the attacker closed and reopened the connection 
> after every user/password combination the logs showed 
> many lines like this:
> dovecot: pop3-login: Aborted login: user=<test>,......
> 
> The problem:
> If the attacker wouldn't have closed and reopened the connection
> no log would have been generated and he/she would have endless 
> tries. Not even an iptables/hashlimit or fail2ban would have kicked in.
> 
> How to reproduce:
> telnet dovecot-server pop3
> user test
> pass test1
> user test
> pass test2
> ...
> QUIT
> ->Only the last try gets logged.
> 


Verified with 1.1.6 as well, nice catch Henry.

On Jun 4, 2009, at 6:16 AM, henry ritzlmayr wrote:
> The problem:
> If the attacker wouldn't have closed and reopened the connection
> no log would have been generated and he/she would have endless
> tries.
With v1.2+ the login failure delay grows after each failed login.
> If I enable auth_verbose every attempt gets logged, but if I read the
> docs correctly this option should only be used for figuring out why
> authentication isn't working.
auth_debug is for figuring out why it's not working. auth_verbose is  
useful if you actually care about logging that information. I guess in  
your case you would care.
> Question:
> Is there any way to close the connection after the
> first wrong user/pass combination. So an attacker would be forced
> to reopen it?
I think the growing delay is a better idea.

On Thu, Jun 04, 2009 at 12:16:00PM +0200, henry ritzlmayr
wrote:
> 
> The problem:
> If the attacker wouldn't have closed and reopened the connection
> no log would have been generated and he/she would have endless 
> tries. Not even an iptables/hashlimit or fail2ban would have kicked in.
> 
> How to reproduce:
> telnet dovecot-server pop3
> user test
> pass test1
> user test
> pass test2
> ...
> QUIT
> ->Only the last try gets logged.

I see the same thing with Dovecot 1.2.rc4 on CentOS 5, but pam logs every
failed attempt:

Jun  4 09:37:40 sbh16 dovecot-auth: pam_unix(dovecot:auth): check pass; user
unknown
Jun  4 09:37:40 sbh16 dovecot-auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot ruser=zzz rhost=127.0.0.1
Jun  4 09:38:05 sbh16 dovecot-auth: pam_unix(dovecot:auth): check pass; user
unknown
Jun  4 09:38:05 sbh16 dovecot-auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot ruser=mmm rhost=127.0.0.1

So, fail2ban will block based on the pam log.

-- 
Mark Sapiro mark at msapiro net       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan