Il 29/12/2021 07:05, Slavko via mailop ha scritto:
I am not sure if that matters. IMO , when dovecot's auth policy will reject the later (with real RIP), the roundcube's content will be empty (at least i hope), and client's IP will be blocked by fail2ban soon or latter. Or i am wrong?
From my understanding and tests, the first IMAP login attempt forwarded to dovecot is the actual login to roundcube. Therefore all later IMAP connections happen if and only if the first one was successful (legitimate user, or breach -- password found by attacker).
So I really want dovecot to know the originating IP for the _first_ login attempt. Because brute-force and other attacks are going to fail at the roundcube login phase... until they've tried enough times to guess user passwords.
In order to stop attackers from guessing passwords on roundcube, I need dovecot to know the originating IPs at roundcube login phase. Then when some IP has failed X times to log in to roundcube, dovecot will block it.
*Why not just fail2ban roundcube plugin?*Brute-force protection can also be achieved by fail2ban, as mentioned by others. But there are scenarios of attackers trying to evade brute-force detection by making password guesses only once in a while, e.g. every 30 minutes in my experience, from many IPs (botnet). See for example this story <https://security.stackexchange.com/questions/174405/someone-is-trying-to-brute-force-my-private-mail-server-very-slowly>.
In such cases of fail2ban bypassing, having a second banning mechanism can bring additional security, or peace of mind -- at least it does for me.
Cheers, Nico
OpenPGP_0x23459069119D37B6.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
