I'm running dovecot 2.2.13 under Debian 8. I'd like to force an immediate TCP socket disconnect after any imap login attempt that fails. Right now, if invalid credentials are supplied during an imap login, the client can keep retrying logins with different credentials. However, I want to prevent that from occurring by causing the socket connection to be closed as soon as there is any failed login attempt. I haven't been able to find any dovecot configuration setting which could control this behavior, but I'm hoping that I just missed something. Thank you very much for any suggestions. -- hippoman at gmail.com Take a hippopotamus to lunch today. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20220523/6e371ade/attachment-0001.htm>
hi at zakaria.website
2022-May-23 19:26 UTC
Force TCP socket disconnect on imap login failure?
On 2022-05-23 20:11, Lloyd Zusman wrote:> I'm running dovecot 2.2.13 under Debian 8. > > I'd like to force an immediate TCP socket disconnect after any imap > login attempt that fails. > > Right now, if invalid credentials are supplied during an imap login, > the client can keep retrying logins with different credentials. > However, I want to prevent that from occurring by causing the socket > connection to be closed as soon as there is any failed login attempt. > > I haven't been able to find any dovecot configuration setting which > could control this behavior, but I'm hoping that I just missed > something. > > Thank you very much for any suggestions. > > -- > hippoman at gmail.com > Take a hippopotamus to lunch today.Hi there, Try CSF firewall. Make sure to enable Login Failure Detection and Max Retries Per X Minutes, and notice with such option set, it will permenantly block the IP addresses that exceeds maximum login failures in the specified interval. Anyhow, my personal recommendation in terms of security, its to use web mail and limit login attempts per minutes and for higher security, setup a VPN and disallow access to the web mail except through the VPN. Good luck. Zakaia.
Look at fail2ban. Should be able to do that for you. Jan Hugo On 5/23/22 21:11, Lloyd Zusman wrote:> I'm running dovecot 2.2.13 under Debian 8. > > I'd like to force an immediate TCP socket disconnect after any imap > login attempt that fails. > > Right now, if invalid credentials are supplied during an imap login, > the client can keep retrying logins with different credentials. > However, I want to prevent that from occurring by causing the socket > connection to be closed as soon as there is any failed login attempt. > > I haven't been able to find any |dovecot| configuration setting which > could control this behavior, but I'm hoping that I just missed something. > > Thank you very much for any suggestions. > > -- > hippoman at gmail.com > ?Take a hippopotamus to lunch today.-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20220523/e7733740/attachment.htm>
On Mon, May 23, 2022 at 03:11:46PM -0400, Lloyd Zusman wrote:> I'm running dovecot 2.2.13 under Debian 8. > > I'd like to force an immediate TCP socket disconnect after any imap login > attempt that fails. > > Right now, if invalid credentials are supplied during an imap login, the > client can keep retrying logins with different credentials. However, I want > to prevent that from occurring by causing the socket connection to be > closed as soon as there is any failed login attempt. > > I haven't been able to find any dovecot configuration setting which could > control this behavior, but I'm hoping that I just missed something. > > Thank you very much for any suggestions. > -- > hippoman at gmail.com > Take a hippopotamus to lunch today.I read the whole thread and other's suggestion. On Linux using ipsets with iptables; sets/maps with nftables is more efficient. Paul Kudla's response is pretty much on the mark and his solution is quiet thorough. Your requirement of closing the socket on bad auth attempt is always best done from the application in question rather than using other tools like - it works, but it is a workaround. Your suggestion of making changes to dovecot itself will only create extra work for you, you will have to patch upstream every time there is a new release. Out of tree customizations should really be maintained only under extreme situations. Instead you can look at nginx imap proxy which will allow you to close the connection on bad auth before it even reaches over to dovecot. However, you will have to write some code to make it work. I have not tried doing it myself, but, I can think of using perl mojolicious + redis which re-uses Paul's ideas to do the job. And finally my personal opinion about blocking, I do not believe in them anymore. A decade ago I used to use iptables "recent" module to restrict SSH access. Now, brute force login attempts are so ubiquitous and distributed against all availables services that it just isn't worth indulging in the cat-and-mouse game. Instead I go with the belief that users will get cracked/hacked eventually, so what can I do to minimize the pain when that happens? How fast can I recover their emails from backup? How can I segregate the compromised account from affecting other systems? These are the questions that I ponder upon, but that's just me. I hope this helps some how. Take care, Didar -- Demand the establishment of the government in its rightful home at Disneyland.