search for: weakforc

Hi, I'm trying to set Weakforced with Dovecot and I cannot log in policy server. This is the config: /root/weakforced/wforce/wforce.conf ----------------------------------- ... webserver("0.0.0.0:8084", "super") ... /etc/dovecot/conf.d/95-policy.conf ---------------------------------- auth_policy_server_ur...

Hi Aki, I've configured in this way: vm-weakforced:~# printf 'wforce:super' | base64 d2ZvcmNlOnN1cGVy vm-weakforced:~# cat /etc/dovecot/conf.d/95-policy.conf auth_policy_server_url = http://localhost:8084/ auth_policy_hash_nonce = some random string auth_policy_server_api_header = "Authorization: Basic d2ZvcmNlOnN1cGVy With the sam...

..._server_api_header = "Authorization: Basic d2ZvcmNlOkJydHpUNlRuTkZ4UUU=" the authorization blob is basically printf 'wforce:super' | base64 Aki > On 16 January 2019 at 10:06 alberto bersol <alberto at bersol.info> wrote: > > > Hi, > I'm trying to set Weakforced with Dovecot and I cannot log in policy > server. This is the config: > > /root/weakforced/wforce/wforce.conf > ----------------------------------- > ... > webserver("0.0.0.0:8084", "super") > ... > > /etc/dovecot/conf.d/95-policy.conf > ------...

Did you miss the closing quote from api_header? Also, can you turn on auth_debug=yes? Aki > On 16 January 2019 at 12:05 alberto bersol <alberto at bersol.info> wrote: > > > Hi Aki, > > I've configured in this way: > > vm-weakforced:~# printf 'wforce:super' | base64 > d2ZvcmNlOnN1cGVy > > vm-weakforced:~# cat /etc/dovecot/conf.d/95-policy.conf > auth_policy_server_url = http://localhost:8084/ > auth_policy_hash_nonce = some random string > auth_policy_server_api_header = "Authorization: Basic...

I've been playing with weakforced, so it fills in the 'fail2ban across a cluster' niche (not to mention RBLs). It seems to work well, once you've actually read the docs :) I was curious if anyone had played with it and was *very* curious if anyone was using it in high traffic production. Getting things to 'work...

On 19.07.2017 02:38, Mark Moseley wrote: > I've been playing with weakforced, so it fills in the 'fail2ban across a > cluster' niche (not to mention RBLs). It seems to work well, once you've > actually read the docs :) > > I was curious if anyone had played with it and was *very* curious if anyone > was using it in high traffic production. Getti...

On Tue, Jul 18, 2017 at 10:40 PM, Aki Tuomi <aki.tuomi at dovecot.fi> wrote: > > > On 19.07.2017 02:38, Mark Moseley wrote: > > I've been playing with weakforced, so it fills in the 'fail2ban across a > > cluster' niche (not to mention RBLs). It seems to work well, once you've > > actually read the docs :) > > > > I was curious if anyone had played with it and was *very* curious if > anyone > > was using it in...

Below is an answer by the current weakforced main developer. It overlaps partly with Samis answer. ---snip--- > Do you have any hints/tips/guidelines for things like sizing, both in a > per-server sense (memory, mostly) and in a cluster-sense (logins per sec :: > node ratio)? I'm curious too how large is quite large. Not look...

...;ltr"> <div dir="ltr"> <div dir="ltr"> <div dir="ltr"> We have dovecot-1:2.3.3-1.fc29.x86_64 running on Fedora 29. I'd like to test wforce, from <a href="https://github.com/PowerDNS/weakforced">https://github.com/PowerDNS/weakforced</a>. <br> </div> <div dir="ltr"> <br> </div> <div> I see instructions at the Authentication policy support page,...

wforce is the username always. auth_policy_hash_nonce should be set to a pseudorandom value that is shared by your server(s). Weakforced does not need it for anything. auth_policy_server_api_header should be set to Authorization: Basic <echo -n wforce:our_password | base64> without the < >. Aki On 6.3.2019 20.42, Robert Kudyba via dovecot wrote: > I took suggestions from?https://forge.puppet.com/fraenki/wforce t...

Hi list hope it's okay to ask weakforced questions here as well, but I could not find a dedicated mailinglist for wforce. I want to enable GeoIP lookups in my wforce daemon. In a first step I installed luarocks and lua-compat53 to install mmdblua module. Then I added newGeoIP2DB("country", "/usr/local/share/GeoIP/GeoLit...

...haven?t included the libmaxmind libraries before > running configure. GeoIP support is only compiled in if it finds the > right libs. > > This would be?libmaxminddb-dev on Ubuntu for example. > > Neil > >>> Hi list >>> >>> hope it's okay to ask weakforced questions here as well, but I could not >>> find a dedicated mailinglist for wforce. >>> >>> I want to enable GeoIP lookups in my wforce daemon. In a first step I >>> installed luarocks and lua-compat53 to install mmdblua module. >>> Then I added >&...

.... I do not believe the >> agents behind these login attempts are only targeting me, hence the >> addresses should be shared via a dnsbl. > > Probably there's an existing solution for both problems (subsequent > attempts and dnsbl): > >> https://github.com/PowerDNS/weakforced "The goal of 'wforce' is to detect brute forcing of passwords across many servers" The problem is not detecting but blocking. Dovecot has no mechanism for using the data; Dovecot needs DNSBL capability. I tested a small sample of my IMAP hackers using the lists I use for...

On 02.08.2017 23:35, Daniel Miller wrote: > Is there explicit documentation available for the (probably trivial) configuration needed for Dovecot and Wforce? I'm probably missing something that should be perfectly obvious... > > Wforce appears to start without errors. I added a file to dovecot's conf.d: > > 95-policy.conf: > auth_policy_server_url =

On 8/4/2017 12:48 PM, Daniel Miller wrote: > On 8/3/2017 6:11 AM, Teemu Huovila wrote: >> >> On 02.08.2017 23:35, Daniel Miller wrote: >>> Is there explicit documentation available for the (probably trivial) >>> configuration needed for Dovecot and Wforce? I'm probably missing >>> something that should be perfectly obvious... >>>

On 12/04/2019 08:24, Aki Tuomi via dovecot wrote: > Weakforced uses Lua so you can easily integrate DNSBL support into it. How does this help Dovecot block? A link to some documentation or example perhaps? > We will not add DNSBL support to dovecot at this time. Is there a reason why you will not support this RFE?

From dovecot, you can add any additional attributes you like using the auth_policy_request_attributes configuration setting, e.g. By default in 2.3.1 this looks like: login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s But you can add additional parameters: login=%{requested_username} pwhash=%{hashed_password} remote=%{rip}

...gt; > > On 27.09.2017 20:14, Mark Moseley wrote: > > On Wed, Sep 27, 2017 at 10:03 AM, Marcus Rueckert <darix at opensu.se> > wrote: > > > >> On 2017-09-27 16:57:44 +0000, Mark Moseley wrote: > >>> I've been digging into the auth policy stuff with weakforced lately. > >> There > >>> are cases (IP ranges, so could be wrapped up in remote {} blocks) where > >>> it'd be nice to skip the auth policy (internal hosts that I can trust, > >> but > >>> that are hitting the same servers as the outside w...

We have dovecot-1:2.3.3-1.fc29.x86_64 running on Fedora 29. I'd like to test wforce, from https://github.com/PowerDNS/weakforced. I see instructions at the Authentication policy support page, https://wiki2.dovecot.org/Authentication/Policy I see the Required Minimum Configuration: auth_policy_server_url = http://example.com:4001/ auth_policy_hash_nonce = localized_random_string But when I search for these directives, th...

In weakforced you have webserver("0.0.0.0:8084", "THIS-IS-THE-PASSWORD-FOR-WFORCE") Thus, you make the base64 blob as ~$ echo -n wforce:THIS-IS-THE-PASSWORD-FOR-WFORCE | base64 d2ZvcmNlOlRISVMtSVMtVEhFLVBBU1NXT1JELUZPUi1XRk9SQ0U= And in dovecot you put auth_policy_server_api_header =...