dovecot - Jun 2011 - limiting number of login attempts from same ip

Hello,

is it possible to limit the number of pop3 (or imap) login attempts  
from one IP with dovecot to stop attackers? We recently had an attack  
from one IP-address lasting 50 minutes that tried 50000 pop3-logins  
with guessed users and passwords. I know about Fail2Ban but really  
would prefer an easy to configure solution inside of dovecot. Dovecot  
has this anvil daemon, can it be used for that purpose?

We use dovcot version 2.0.12 under Solaris 10, the pop3-login part of  
the configuration looking like that:

service pop3-login {
   chroot = login
   client_limit = 0
   drop_priv_before_exec = no
   executable = pop3-login
   extra_groups    group    idle_kill = 0
   inet_listener pop3 {
     address      port = 110
     ssl = no
   }
   inet_listener pop3s {
     address      port = 995
     ssl = yes
   }
   privileged_group    process_limit = 0
   process_min_avail = 0
   protocol = pop3
   service_count = 1
   type = login
   user = $default_login_user
   vsz_limit = 64 M
}

Thanks, J?rgen

-- 
Hochschulrechenzentrum der | Mail: Juergen.Obermann at hrz.uni-giessen.de
Justus-Liebig-Universitaet | WWW:  http://www.uni-giessen.de/obermann/
Heinrich-Buff-Ring 44      | Tel:  0641-99-13054 (0641-99-13001)
D-35392 Giessen, Germany   | Fax:  0641-99-13009

Am 10.06.2011 11:22, schrieb J?rgen Obermann:
> Hello,
> 
> is it possible to limit the number of pop3 (or imap) login attempts from
> one IP with dovecot to stop attackers? We recently had an attack from
> one IP-address lasting 50 minutes that tried 50000 pop3-logins with
> guessed users and passwords. I know about Fail2Ban but really would
> prefer an easy to configure solution inside of dovecot. Dovecot has this
> anvil daemon, can it be used for that purpose?
> 
> We use dovcot version 2.0.12 under Solaris 10, the pop3-login part of
> the configuration looking like that:
> 
> service pop3-login {
>   chroot = login
>   client_limit = 0
>   drop_priv_before_exec = no
>   executable = pop3-login
>   extra_groups >   group >   idle_kill = 0
>   inet_listener pop3 {
>     address >     port = 110
>     ssl = no
>   }
>   inet_listener pop3s {
>     address >     port = 995
>     ssl = yes
>   }
>   privileged_group >   process_limit = 0
>   process_min_avail = 0
>   protocol = pop3
>   service_count = 1
>   type = login
>   user = $default_login_user
>   vsz_limit = 64 M
> }
> 
> Thanks, J?rgen
> 
look
http://wiki2.dovecot.org/HowTo/Fail2Ban

-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Friday, June 10, 2011, 4:22:26 AM, J?rgen wrote:
> Hello,
> is it possible to limit the number of pop3 (or imap) login attempts  
> from one IP with dovecot to stop attackers? We recently had an attack
> from one IP-address lasting 50 minutes that tried 50000 pop3-logins  
> with guessed users and passwords. I know about Fail2Ban but really  
> would prefer an easy to configure solution inside of dovecot. Dovecot
> has this anvil daemon, can it be used for that purpose?
> We use dovcot version 2.0.12 under Solaris 10, the pop3-login part of
> the configuration looking like that:
> service pop3-login {
>    chroot = login
>    client_limit = 0
>    drop_priv_before_exec = no
>    executable = pop3-login
>    extra_groups >    group >    idle_kill = 0
>    inet_listener pop3 {
>      address >      port = 110
>      ssl = no
>    }
>    inet_listener pop3s {
>      address >      port = 995
>      ssl = yes
>    }
>    privileged_group >    process_limit = 0
>    process_min_avail = 0
>    protocol = pop3
>    service_count = 1
>    type = login
>    user = $default_login_user
>    vsz_limit = 64 M
> }
You can thwart (to some degree) failed login attempts by increasing
auth_failure_delay. I currently have the parameter set at 5 seconds.
Its default is 2 seconds.

I also have set auth_verbose = yes and auth_verbose_passwords = sha1
and have a cron job set up to search the logs for the day before using:

    bzegrep -i 'password.mismatch' /var/log/maillog.0.bz2

I get an email message showing the failed login attempts from the
previous day.

Someone else suggested using fail2ban which is good. I have sshguard
set up myself.

-- 
Best regards,
 Duane                            mailto:duane at duanemail.org

On Fri, 2011-06-10 at 11:22 +0200, J?rgen Obermann
wrote:
> Hello,
> 
> is it possible to limit the number of pop3 (or imap) login attempts  
> from one IP with dovecot to stop attackers? We recently had an attack  
> from one IP-address lasting 50 minutes that tried 50000 pop3-logins  
> with guessed users and passwords. I know about Fail2Ban but really  
> would prefer an easy to configure solution inside of dovecot. Dovecot  
> has this anvil daemon, can it be used for that purpose?
> 
> We use dovcot version 2.0.12 under Solaris 10, the pop3-login part of  
> the configuration looking like that:
With v2.0 it was already limiting. It increased each login failure delay
to 15 seconds before the failure was reported. Although maybe something
wasn't working correctly, because 50k hits is more than I think should
have been possible. Assuming you have default_process_limit=100
(default), there should have been a maximum of 20k attempts (100
processes / 15 seconds * 60*50 seconds).

Hmm. Maybe instead of simply increasing the failure delay, the IP could
be disconnected immediately?