dovecot - Oct 2013 - Odd Feature Request - RBL blacklist lookup to prevent authentication

I would like to have a list of IPs (hacker list) that I can do a lookup 
on so that if anyone tries to authenticate to dovecot they always fail 
if they are on my list.

I have the list - and the list is available as a DNS blacklist.

I'd like to have it work with both local IP lists or RBL lookup.

The idea is so hackers from known IP addresses never succeed.

If Dovecot provides the feature I have about 1/2 million IP addresses of 
known current hackers to block.

Anyone else interested in this?

Marc Perkel skrev den 2013-10-22 21:31:
> Anyone else interested in this?
would you sell more ram later ?

basicly you like to have fail2ban to a central server logging via syslog 
?

if yes create more rules to fail2ban and show it on a wiki

Quoting Marc Perkel <marc at perkel.com>:
> I would like to have a list of IPs (hacker list) that I can do a lookup
> on so that if anyone tries to authenticate to dovecot they always fail
> if they are on my list.
>
> I have the list - and the list is available as a DNS blacklist.
>
> I'd like to have it work with both local IP lists or RBL lookup.
>
> The idea is so hackers from known IP addresses never succeed.
>
> If Dovecot provides the feature I have about 1/2 million IP addresses of
> known current hackers to block.
> Anyone else interested in this?
How about doing a SQL Auth with a 'NOT IN ' select.

Then in your post auth script do an RBL lookup and if listed (but not in
your whitelist), add to your table (with a timestamp to expire of course)
and kick the user.

IMHO, the problem with all out blocks on auth is the same as doing an all
out block based on SPF - so many IPs are shared you can easily get false
positives.

Rick

22.10.2013 21:31, Marc Perkel:
> I would like to have a list of IPs (hacker list) that I can do a lookup
> on so that if anyone tries to authenticate to dovecot they always fail
> if they are on my list.
You could enable dovecot's tcpwrapper support for this.

Kind Regards,
Christian Schmidt

-- 
No signature available.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 22 Oct 2013, Marc Perkel wrote:
> I would like to have a list of IPs (hacker list) that I can do a lookup on
so
> that if anyone tries to authenticate to dovecot they always fail if they
are
> on my list.
>
> I have the list - and the list is available as a DNS blacklist.
>
> I'd like to have it work with both local IP lists or RBL lookup.
>
> The idea is so hackers from known IP addresses never succeed.
Why would you let the auth happen at all? Is it some sort of tarpitting? 
Otherwise you could just block the IP with a firewall.

Maybe you can combine the deny AuthDatabase, as explained here:
http://wiki2.dovecot.org/Authentication/RestrictAccess?highlight=%28deny%29
with a socket auth demon:
http://wiki2.dovecot.org/AuthDatabase/Dict

So, you return success via the auth socket dict and use the remote IP as 
"key", but success is turned into "deny".
> If Dovecot provides the feature I have about 1/2 million IP addresses of 
> known current hackers to block.
Well, I do not like the notion "one IP == one person", too many setups
use
NAT.

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUmd5xl3r2wJMiz2NAQLaVQf+KLz5cXy9u51KdVnoc2deJydbSuv0J8b1
IpQ2270EIKctTwtwABvYEEOM8o07S20kAL+vqBFBFgvS6pK/mgtm9fg/z1+GPgpu
S5ngfOuHw+NrmwSP/JSOGCezFXnccH2a7KVN47pgYVRKWEOMH+j0hbbrogfXcMRD
NMtI3GTDlPO0BVdXAavJxQylXbVYAZy5icrd/YkFyp6MkWCNOWkUYzOmr1/sAPZu
8t2t0SXXyfUc/gKHOdO8EGGbS2Bc2YRRO/M3iLScAiJWdo6uu4uCMOjPbZB+utqB
8Nicns0n9ZSCgIixYrjsfwE75nEjY8IwbSplL952sz4kHvG3+5MYrA==TH+V
-----END PGP SIGNATURE-----