Hope to get some attention about this idea to reduce hacking passwords. Here is a list of about 700,000 IP addresses that are hacking passwords through SMTP AUTH http://ipadmin.junkemailfilter.com/auth-hack.txt This is a list of IP addresses that attempted to authenticate against my fake AUTH advertizing on servers with no authentication. We do front end spam filtering for thousands of domains and I decided to advertize authentication where there is none and I accept and blackhole all authenticated email to those servers. I have harvested the IP addresses in this list that is available through an RBL. It seems to me that a nice dovecot feature would be the ability to do a black list check against IP addresses connecting and deny access if listed. Thoughts?
Am 04.02.2014 18:40, schrieb Marc Perkel:> Hope to get some attention about this idea to reduce hacking passwords. > > Here is a list of about 700,000 IP addresses that are hacking passwords through SMTP AUTH > > http://ipadmin.junkemailfilter.com/auth-hack.txt > > This is a list of IP addresses that attempted to authenticate against my fake AUTH advertizing on servers with no > authentication. We do front end spam filtering for thousands of domains and I decided to advertize authentication > where there is none and I accept and blackhole all authenticated email to those servers. I have harvested the IP > addresses in this list that is available through an RBL. > > It seems to me that a nice dovecot feature would be the ability to do a black list check against IP addresses > connecting and deny access if listed. > > Thoughts?a limit of failed auth-tries without a succesful one would be better and strip down logging after it is blocked instead having thousands of lines from fools trying a dictionary * ip <xx.xx.xx.xx> blocked after XX auth tries within XX minutes * blocking of ip <xx.xx.xx.xx> released (XX tries blockd) something like that but with focus in failed logins anvil_rate_time_unit = 1800s smtpd_client_connection_rate_limit = 50 smtpd_client_recipient_rate_limit = 400 smtpd_recipient_limit = 100 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 246 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20140204/043f3645/attachment.bin>
Robert Schetterer
2014-Feb-04 18:33 UTC
[Dovecot] Applying a DNS RBL to deny authentication?
Am 04.02.2014 18:40, schrieb Marc Perkel:> Hope to get some attention about this idea to reduce hacking passwords. > > Here is a list of about 700,000 IP addresses that are hacking passwords > through SMTP AUTH > > http://ipadmin.junkemailfilter.com/auth-hack.txt > > This is a list of IP addresses that attempted to authenticate against my > fake AUTH advertizing on servers with no authentication. We do front end > spam filtering for thousands of domains and I decided to advertize > authentication where there is none and I accept and blackhole all > authenticated email to those servers. I have harvested the IP addresses > in this list that is available through an RBL. > > > It seems to me that a nice dovecot feature would be the ability to do a > black list check against IP addresses connecting and deny access if listed.http://wiki2.dovecot.org/Authentication/RestrictAccess but you could add them in a firewall too> > Thoughts? > >i think you know the problems of rbls very well, in case of imap/pop a false postive may high support extremly, also think of nat users i prefer more dynamic and flexibel solutions, like fail2ban etc so your honeypot ips are fine , but shouldnt be widly used/match for everybody needs perhaps it might be better ,use them in a more "score" or monitoring / alarming system combined with other data Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstra?e 15, 81669 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On 04 Feb 2014, at 10:40 , Marc Perkel <marc at perkel.com> wrote:> It seems to me that a nice dovecot feature would be the ability to do a black list check against IP addresses connecting and deny access if listed. > > Thoughts?Use the right tool. Fail2ban (or denyssh) do this sort of limiting quite well. One of them even has a feature that allows you to sync bad IPs with other people (denyssh, I think). Also, postfix will check an RBL, so if you simply put in your check in master.cf for your submission port, there?s no reason for dovecot to try to redo something others already do. Something like this in postfix submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o reject_rbl_client = myrbl.local -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_path=private/auth -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_data_restrictions -o smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject -o smtpd_helo_restrictions -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject -o syslog_name=submit-tls YMMV -- I have seen the truth and it makes no sense.