Re: [mailop] Roundcube client IPs → dovecot, postfix

Thu, 06 Jan 2022 05:20:38 -0800 

On 2021-12-30 11:00, Nicolas JEAN via mailop wrote:

Il 29/12/2021 07:05, Slavko via mailop ha scritto:


I am not sure if that matters. IMO , when dovecot's auth policy will
reject the later (with real RIP), the roundcube's content will be
empty
(at least i hope), and client's IP will be blocked by fail2ban soon
or
latter. Or i am wrong?


From my understanding and tests, the first IMAP login attempt
forwarded to dovecot is the actual login to roundcube.
Therefore all later IMAP connections happen if and only if the first
one was successful (legitimate user, or breach -- password found by
attacker).

So I really want dovecot to know the originating IP for the first
login attempt.
Because brute-force and other attacks are going to fail at the
roundcube login phase... until they've tried enough times to guess
user passwords.

In order to stop attackers from guessing passwords on roundcube, I
need dovecot to know the originating IPs at roundcube login phase.
Then when some IP has failed X times to log in to roundcube, dovecot
will block it.

Why not just fail2ban roundcube plugin?

Brute-force protection can also be achieved by fail2ban, as mentioned
by others.
But there are scenarios of attackers trying to evade brute-force
detection by making password guesses only once in a while, e.g. every
30 minutes in my experience, from many IPs (botnet). See for example
this story [1].
Current strategy is for the bot farms to spread out the requests quite a bit, 5268 in the case below.
Blocking t=28800 r=1 b=11 p=3 u=2 l=1 [ablk] [Aa123456] 3,1 attempts in 5268,0 seconds 87.87.1.230/32 0
I look back 24 hours for the same IP address trying multiple username and multiple passwords. 

   p=3 u=2

Works well.

   Pending: 1292, Blocked: 2067



In such cases of fail2ban bypassing, having a second banning mechanism
can bring additional security, or peace of mind -- at least it does
for me.

Cheers,
Nico


Links:
------
[1] https://security.stackexchange.com/questions/174405/someone-is-trying-to-brute-force-my-private-mail-server-very-slowly 
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Reply via email to