On 11/04/2019 11:43, Marc Roos via dovecot wrote:> A. With the fail2ban solution > - you 'solve' that the current ip is not able to access youIt is only a solution if there are subsequent attempts from the same address. I currently have several thousand addresses blocked due to dovecot login failures. My firewall is set to log these so I can see that few repeat, those that do repeat have intervals of >1 week. Blocking these has minimal effect (other than to clog fail12ban and the firewall).> - it will continue bothering other servers and adminsWhich is why a dnsbl for dovecot is a good idea. I do not believe the agents behind these login attempts are only targeting me, hence the addresses should be shared via a dnsbl.
Yes indeed, we have already own dnsbl's for smtp and ssh/ftp access. How do you have one setup for dovecot connections? -----Original Message----- From: James via dovecot [mailto:dovecot at dovecot.org] Sent: donderdag 11 april 2019 13:25 To: dovecot at dovecot.org Subject: Re: Mail account brute force / harassment On 11/04/2019 11:43, Marc Roos via dovecot wrote:> A. With the fail2ban solution > - you 'solve' that the current ip is not able to access youIt is only a solution if there are subsequent attempts from the same address. I currently have several thousand addresses blocked due to dovecot login failures. My firewall is set to log these so I can see that few repeat, those that do repeat have intervals of >1 week. Blocking these has minimal effect (other than to clog fail12ban and the firewall).> - it will continue bothering other servers and adminsWhich is why a dnsbl for dovecot is a good idea. I do not believe the agents behind these login attempts are only targeting me, hence the addresses should be shared via a dnsbl.
On 11/04/2019 12:49, Marc Roos via dovecot wrote:> Yes indeed, we have already own dnsbl's for smtp and ssh/ftp access. How > do you have one setup for dovecot connections?Two answers: 1. I wrote my own very simple implementation but it does not share other people's data. Sharing the key to viability so it is/was a pointless exercise. Without sharing a hacker gets at least one free shot per server per address. With sharing it is closer to one per address and less with honeypots. 2. I said "dnsbl for dovecot is a good idea", an idea. When this was raised previously we were told it was not needed and it can all be done with tcp wrappers, fail2ban and allow_nets. https://dovecot.org/list/dovecot/2013-July/091236.html https://dovecot.org/list/dovecot/2014-June/096662.html
On 11.04.2019 13:25, James via dovecot wrote:> On 11/04/2019 11:43, Marc Roos via dovecot wrote: > >> A. With the fail2ban solution >> ?? - you 'solve' that the current ip is not able to access you > > It is only a solution if there are subsequent attempts from the same > address.? I currently have several thousand addresses blocked due to > dovecot login failures.? My firewall is set to log these so I can see > that few repeat, those that do repeat have intervals of >1 week. > Blocking these has minimal effect (other than to clog fail12ban and the > firewall). > >> ?? - it will continue bothering other servers and admins > > Which is why a dnsbl for dovecot is a good idea.? I do not believe the > agents behind these login attempts are only targeting me, hence the > addresses should be shared via a dnsbl.Probably there's an existing solution for both problems (subsequent attempts and dnsbl):> https://github.com/PowerDNS/weakforcedIt was also discussed recently on this list:> https://www.dovecot.org/list/dovecot/2019-March/114921.htmlHas already been on my personal todo list for some time, so I have no experience how (good) it actually works. Best, Anton
On 11/04/2019 14:33, Anton Dollmaier via dovecot wrote:>> Which is why a dnsbl for dovecot is a good idea. I do not believe the >> agents behind these login attempts are only targeting me, hence the >> addresses should be shared via a dnsbl. > > Probably there's an existing solution for both problems (subsequent > attempts and dnsbl): > >> https://github.com/PowerDNS/weakforced"The goal of 'wforce' is to detect brute forcing of passwords across many servers" The problem is not detecting but blocking. Dovecot has no mechanism for using the data; Dovecot needs DNSBL capability. I tested a small sample of my IMAP hackers using the lists I use for SMTP blocking [1] and enough are in these list to make them worth using. Extra detection is not needed as many of these addresses are already known - maybe even by using weakforced. James. 1. exim dnsblist: https://www.exim.org/howto/rbl.html https://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html
> > Probably there's an existing solution for both problems (subsequent > attempts and dnsbl): > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PowerDNS_weakforced&d=DwID-g&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=X1Im4Y-eX0uEDwDWiGtbHA7-LMVH6EXlblUpquQsx9Y&s=stCCTTs65S9mjT4ITx-MfXyqnP1M0FoOlvIsEA-iwdQ&e> > It was also discussed recently on this list: > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dovecot.org_list_dovecot_2019-2DMarch_114921.html&d=DwID-g&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=X1Im4Y-eX0uEDwDWiGtbHA7-LMVH6EXlblUpquQsx9Y&s=F_MZgSGFbhEPpQAsxd5uZPK_fbOBWgG4SIvzIXCWC1U&e> > > Has already been on my personal todo list for some time, so I have no > experience how (good) it actually works. >That was a thread I started. I got wforce to work. However the "reporting IP" in the logs always shows as 127.0.0.1, so I risk banning myself. Here's the log entry: Apr 12 10:06:12 auth: Debug: policy(ouruser,127.0.0.1,<OWoLzlWGDrh/AAAB>): Policy server request JSON: {"device_id":"","login":"ouruser","protocol":"imap","pwhash":"2a","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false} I've tried setting auth_policy_server_url to examples such as: - auth_policy_server_url = http://localhost:8084/ - auth_policy_server_url = http://0.0.0.0:8084/ - auth_policy_server_url = https://ourdomain.edu:8084/ in the custom config file for wforce and the rip (reporting IP, e.g., Apr 12 10:06:10 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=OWoLzlWGDrh/AAAB lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=47118 resp=<hidden>) is either 127.0.0.1 or ourdomain.edu. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190412/ba38c4bd/attachment.html>