Re: Force TCP socket disconnect on imap login failure?

2022-05-24 Thread John Hardin 

On Tue, 24 May 2022, Hippo Man wrote:


I have already been doing the following for the past year or so: as soon as
I detect (via my own, homegrown fail2ban-like log monitoring utility) what
I deem to be attempts to log in via imap or pop3 with a dictionary password
attack, I immediately do a DROP via iptables. Yes, this will block all
future connection attemps from the same host, but unfortunately, it doesn't
stop the following scenario, which regularly occurs on my server ...

* Hacker connects via imap or pop3 to my server.
* Hacker makes numerous login attempts one after the other with various
passwords, and without disconnecting in between attempts. I've seen 10 and
more of these repeated attempts rapidly during a single imap or pop3
connection.

Simply using iptables to DROP or REJECT the connection does not prevent
those repeated login attempts during the original imap or pop3 session.
Again, this only prevents *future* connections via that host.


It should block all subsequent packets received from that IP address, 
immediately. An in-process connection would appear (to the client) to 
hang.


Either there is an ACCEPT rule for related traffic somewhere in the chain 
before your new DROP rule, which is matching first and allowing the 
existing connection's packets through, or your DROP rule is malformed and 
not actually matching the traffic.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 724 days since the first private commercial manned orbital mission (SpaceX)

Re: Force TCP socket disconnect on imap login failure?

2022-05-24 Thread Hippo Man 
Thank you very much. Yes, I did some manual tests via gdb to close the fd
of a connected socket, and indeed the dovecot behavior is not desirable:
this seems to crash dovecot. So I agree that this is not a good approach.

I have already been doing the following for the past year or so: as soon as
I detect (via my own, homegrown fail2ban-like log monitoring utility) what
I deem to be attempts to log in via imap or pop3 with a dictionary password
attack, I immediately do a DROP via iptables. Yes, this will block all
future connection attemps from the same host, but unfortunately, it doesn't
stop the following scenario, which regularly occurs on my server ...

* Hacker connects via imap or pop3 to my server.
* Hacker makes numerous login attempts one after the other with various
passwords, and without disconnecting in between attempts. I've seen 10 and
more of these repeated attempts rapidly during a single imap or pop3
connection.

Simply using iptables to DROP or REJECT the connection does not prevent
those repeated login attempts during the original imap or pop3 session.
Again, this only prevents *future* connections via that host.

So, this is what I am now planning to do ...

I will get the latest dovecot source code and modify it so that dovecot
will disconnect after "N" failed imap or pop3 login attacks, where "N" is
some sort of configuration variable (with a default of zero, meaning do not
disconnect). I will then use this personal version of dovecot with "N" set
to a fairly low value (probably 1!). Furthermore, I will continue to
automatically monitor the logs and perform the same iptables DROP actions
for the failed login attempts. The combination of these two actions will
give me the behavior that I desire.

If this modified, personal version of dovecot actually works the way I am
hoping, I will make a patch available here or wherever is appropriate.

-- 
 hippo...@gmail.com
 Take a hippopotamus to lunch today.


On Tue, May 24, 2022 at 5:13 AM Paul Kudla (SCOM.CA Internet Services Inc.)
 wrote:

>
> closing a socket can leave a process in an undertimed state pending how
> the code reacts
>
> blocking in the background via iptables would just stop traffic and the
> process should die cleanly.
>
> programming 101, network connections at best dont like the plug being
> pulled once they start to talk but if the connection just dies off then
> it is just a network timeout error with no real harm being done.
>
> just a thought.
>
>
>
> Happy Tuesday !!!
> Thanks - paul
>
> Paul Kudla
>
>
> Scom.ca Internet Services 
> 004-1009 Byron Street South
> Whitby, Ontario - Canada
> L1N 4S3
>
> Toronto 416.642.7266
> Main 1.866.411.7266
> Fax 1.888.892.7266
> Email p...@scom.ca
>
> On 5/23/2022 9:25 PM, John Tulp wrote:
> >
> > i googled a little, i was just curious about your question.
> >
> > found a stackoverflow question which, answered, says that using gdb one
> > can close the fd, after using lsof to find it out.
> >
> > oh, and your iptables command... you have the address aaa. etc with a
> > -d, i think you mean the source ip address of the connection, -s,
> > right ?
> >
> > if you want, i can provide that link.
> >
> >
> >
> > On Mon, 2022-05-23 at 17:16 -0400, Hippo Man wrote:
> >> OOPS! I incorrectly copied and pasted the iptables command in my
> >> previous message. Here is the correct iptables command:
> >>
> >> iptables -I INPUT -p tcp -m multiport --destination-port 143,993 -d
> >> aaa.bbb.ccc.ddd -j DROP
> >>
> >>
> >> This command successfully blocks *future* connections to ports 143 and
> >> 993 from that IP address, but as I mentioned, it doesn't kill the
> >> currently open connection.
> >>
> >>
> >>
> >> --
> >>   hippo...@gmail.com
> >>   Take a hippopotamus to lunch today.
> >>
> >>
> >>
> >>
> >> On Mon, May 23, 2022 at 4:54 PM Hippo Man  wrote:
> >>
> >>  Thank you, but fail2ban doesn't do what I need. Here is
> >>  why ...
> >>
> >>
> >>  I have used fail2ban and also my own homegrown log monitor
> >>  program for this purpose. In both cases, I can detect the
> >>  failed imap logins and then cause the following command to be
> >>  run ...
> >>
> >>
> >>  iptables -I INPUT -p tcp --destination-port aaa.bbb.ccc.ddd -j
> >>  DROP
> >>
> >>
> >>  However, this does not drop connections that are existing and
> >>  already open. It will only drop *future* connections from that
> >>  IP address to port 143.
> >>
> >>
> >>
> >>  This is why I want to kill the existing connection. Even after
> >>  that "iptables" command is issued, the entity which is
> >>  connected to the imap port can continue to send more and more
> >>  imap commands.
> >>
> >>
> >>  If I can drop the TCP connection as soon as an imap login
> >>  fails and also issue that kind of "iptables" command, then the
> >>  client would have to reconnect in order to

Panic: file userdb-blocking with Dovecot 2.3.19

2022-05-24 Thread Niklas Meyer 

Hello all,

since we´ve tested around with the new dovecot release in the mailcow 
project we´ve came across a curious and new error with Dovecot:


/auth: Panic: file userdb-blocking.c: line 124 
(userdb_blocking_iter_next): assertion failed: (ctx->conn != NULL)/


   *System Information:*

   *Dovecot Version: 2.3.19 (b3ad6004dc)**
   *

   *OS: Debian 11 (dovecot is running in a docker container)*

   *CPU: x86*

   *Filesystem: ext4*

The error occurs only with the newest Dovecot release (2.3.19), the 
config hasn´t been changed.


In the Attachment you can find all (hopefully) helpful informations.

Maybe it is a simple fix.

Kind regards and thanks for your help.

--
The mailcow Team
- Niklas
---
The Infrastructure Company GmbH
Parkstr. 42
47877 Willich

Handelsregister: Amtsgericht Krefeld, HRB 15904
USt-IdNr.: DE308854956
Geschäftsführer: Martin Vogt

/*Hinweis: *Der Inhalt dieser E-Mail ist vertraulich und nur für den in 
der Nachricht angegebenen Empfänger bestimmt.
Es ist strengstens untersagt, irgendeinen Teil dieser Nachricht ohne 
schriftliche Zustimmung des Absenders an Dritte weiterzugeben.
Wenn Sie diese Nachricht irrtümlich erhalten haben, antworten Sie bitte 
auf diese Nachricht und folgen Sie mit ihrer Löschung,
so dass wir sicherstellen können, dass ein solcher Fehler in Zukunft 
nicht mehr vorkommt./# 2.3.19 (b3ad6004dc): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.19 (4eae2f79)
# OS: Linux 5.10.0-14-amd64 x86_64 Debian 11.3 
# Hostname: 8e0838557834
auth_master_user_separator = *
auth_mechanisms = plain login
default_client_limit = 10400
default_vsz_limit = 1 G
dict {
  sieve_after = mysql:/etc/dovecot/sql/dovecot-dict-sql-sieve_after.conf
  sieve_before = mysql:/etc/dovecot/sql/dovecot-dict-sql-sieve_before.conf
  sqlquota = mysql:/etc/dovecot/sql/dovecot-dict-sql-quota.conf
}
doveadm_port = 12345
imap_max_line_length = 2 M
listen = *,[::]
log_timestamp = "%Y-%m-%d %H:%M:%S "
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k
mail_attachment_dir = /var/attachments
mail_attachment_fs = crypt:set_prefix=mail_crypt_global:posix:
mail_attribute_dict = file:%h/dovecot-attributes
mail_home = /var/vmail/%d/%n
mail_location = maildir:~/
mail_max_userip_connections = 500
mail_plugins = http://solr:8983/solr/dovecot-fts/
  imapsieve_mailbox1_before = file:/usr/lib/dovecot/sieve/report-spam.sieve
  imapsieve_mailbox1_causes = COPY
  imapsieve_mailbox1_name = Junk
  imapsieve_mailbox2_before = file:/usr/lib/dovecot/sieve/report-ham.sieve
  imapsieve_mailbox2_causes = COPY
  imapsieve_mailbox2_from = Junk
  imapsieve_mailbox2_name = *
  listescape_char = \
  mail_crypt_global_private_key = # hidden, use -P to show it
  mail_crypt_global_public_key = # hidden, use -P to show it
  mail_crypt_save_version = 2
  mail_log_cached_only = yes
  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
  mail_log_fields = uid box msgid size
  master_user = %u
  quota = dict:Userquota::proxy::sqlquota
  quota_rule2 = Trash:storage=+100%%
  quota_warning = storage=95%% quota-warning 95 %u
  quota_warning2 = storage=80%% quota-warning 80 %u
  sieve = /var/vmail/sieve/%u.sieve
  sieve_after = 
dict:proxy::sieve_after;name=active;bindir=/var/vmail/sieve_after_bindir
  sieve_after2 = /var/vmail/sieve/global_sieve_after.sieve
  sieve_before = /var/vmail/sieve/global_sieve_before.sieve
  sieve_before2 = 
dict:proxy::sieve_before;name=active;bindir=/var/vmail/sieve_before_bindir
  sieve_duplicate_default_period = 1m
  sieve_duplicate_max_period = 7d
  sieve_extensions = +notify +imapflags +vacation-seconds +editheader
  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute
  sieve_max_actions = 101
  sieve_max_redirects = 100
  sieve_max_script_size = 1M
  sieve_pipe_bin_dir = /usr/lib/dovecot/sieve
  sieve_plugins = sieve_imapsieve sieve_extprograms
  sieve_quota_max_scripts = 0
  sieve_quota_max_storage = 0
  sieve_redirect_envelope_from = recipient
  sieve_vacation_default_period = 60s
  sieve_vacation_max_period = 0
  sieve_vacation_min_period = 5s
  sieve_vacation_send_from_recipient = yes
  zlib_save = lz4
}
protocols = imap sieve lmtp pop3
replication_dsync_parameters = -d -l 30 -U -n INBOX
service aggregator {
  fifo_listener replication-notify-fifo {
user = vmail
  }
  unix_listener replication-notify {
user = vmail
  }
}
service auth {
  inet_listener auth-inet {
port = 10001
  }
  unix_listener auth-master {
mode = 0600
user = vmail
  }
  unix_listener auth-userdb {
mode = 0600
user = vmail
  }
  vsz_limit = 2 G
}
service config {
  unix_listener config {
group = vmail
mode = 0660
user = root
  }
}
service dict {
  unix_listener dict {
group = vmail
mode = 0660
user = vmail
  }
}
service doveadm {
  inet_listener {
port = 12345
  }
  vsz_limit = 2 G
}
service imap-login {
  inet_listener imap_haproxy {
haproxy = yes
port = 10143
  }
  inet_listener imaps_haproxy {
haproxy

Re: Force TCP socket disconnect on imap login failure?

2022-05-24 Thread didar 
On Mon, May 23, 2022 at 03:11:46PM -0400, Lloyd Zusman wrote:
> I'm running dovecot 2.2.13 under Debian 8.
> 
> I'd like to force an immediate TCP socket disconnect after any imap login
> attempt that fails.
> 
> Right now, if invalid credentials are supplied during an imap login, the
> client can keep retrying logins with different credentials. However, I want
> to prevent that from occurring by causing the socket connection to be
> closed as soon as there is any failed login attempt.
> 
> I haven't been able to find any dovecot configuration setting which could
> control this behavior, but I'm hoping that I just missed something.
> 
> Thank you very much for any suggestions.
> -- 
>  hippo...@gmail.com
>  Take a hippopotamus to lunch today.

I read the whole thread and other's suggestion.

On Linux using ipsets with iptables; sets/maps with nftables is more efficient.

Paul Kudla's response is pretty much on the mark and his solution is quiet
thorough.

Your requirement of closing the socket on bad auth attempt is always best done
from the application in question rather than using other tools like - it works, 
but
it is a workaround. Your suggestion of making changes to dovecot itself will
only create extra work for you, you will have to patch upstream every time there
is a new release. Out of tree customizations should really be maintained only
under extreme situations.

Instead you can look at nginx imap proxy which will allow you to close the
connection on bad auth before it even reaches over to dovecot. However, you will
have to write some code to make it work. I have not tried doing it myself, but,
I can think of using perl mojolicious + redis which re-uses Paul's ideas to do
the job.

And finally my personal opinion about blocking, I do not believe in them
anymore. A decade ago I used to use iptables "recent" module to restrict SSH
access. Now, brute force login attempts are so ubiquitous and distributed
against all availables services that it just isn't worth indulging in the
cat-and-mouse game. Instead I go with the belief that users will get
cracked/hacked eventually, so what can I do to minimize the pain when that
happens? How fast can I recover their emails from backup? How can I segregate
the compromised account from affecting other systems? These are the questions
that I ponder upon, but that's just me.

I hope this helps some how.

Take care,
Didar

-- 
Demand the establishment of the government in its rightful home at Disneyland.

Re: Force TCP socket disconnect on imap login failure?

2022-05-24 Thread Paul Kudla (SCOM.CA Internet Services Inc.) 



closing a socket can leave a process in an undertimed state pending how 
the code reacts


blocking in the background via iptables would just stop traffic and the 
process should die cleanly.


programming 101, network connections at best dont like the plug being 
pulled once they start to talk but if the connection just dies off then 
it is just a network timeout error with no real harm being done.


just a thought.



Happy Tuesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 5/23/2022 9:25 PM, John Tulp wrote:


i googled a little, i was just curious about your question.

found a stackoverflow question which, answered, says that using gdb one
can close the fd, after using lsof to find it out.

oh, and your iptables command... you have the address aaa. etc with a
-d, i think you mean the source ip address of the connection, -s,
right ?

if you want, i can provide that link.



On Mon, 2022-05-23 at 17:16 -0400, Hippo Man wrote:

OOPS! I incorrectly copied and pasted the iptables command in my
previous message. Here is the correct iptables command:

iptables -I INPUT -p tcp -m multiport --destination-port 143,993 -d
aaa.bbb.ccc.ddd -j DROP


This command successfully blocks *future* connections to ports 143 and
993 from that IP address, but as I mentioned, it doesn't kill the
currently open connection.



--
  hippo...@gmail.com
  Take a hippopotamus to lunch today.




On Mon, May 23, 2022 at 4:54 PM Hippo Man  wrote:

 Thank you, but fail2ban doesn't do what I need. Here is
 why ...
 
 
 I have used fail2ban and also my own homegrown log monitor

 program for this purpose. In both cases, I can detect the
 failed imap logins and then cause the following command to be
 run ...
 
 
 iptables -I INPUT -p tcp --destination-port aaa.bbb.ccc.ddd -j

 DROP
 
 
 However, this does not drop connections that are existing and

 already open. It will only drop *future* connections from that
 IP address to port 143.
 
 
 
 This is why I want to kill the existing connection. Even after

 that "iptables" command is issued, the entity which is
 connected to the imap port can continue to send more and more
 imap commands.
 
 
 If I can drop the TCP connection as soon as an imap login

 fails and also issue that kind of "iptables" command, then the
 client would have to reconnect in order to retry other login
 attempts. Those future connections would then be successfully
 blocked by that iptables rule.
 
 
 And even if I issue a "tcpdrop" command instead of just the

 "iptables" command, it doesn't kill the already-open
 connection. It just force-blocks future connections.
 
 
 I'm thinking of patching the dovecot source code to create a

 personal version which immediately disconnects from the socket
 after login failure. Of course, I would prefer not to do that,
 if there is another way to accomplish this.
 
 
 
 --

  hippo...@gmail.com
  Take a hippopotamus to lunch today.
 
 
 
 
 On Mon, May 23, 2022 at 4:24 PM Jan Hugo Prins

  wrote:
 
 Look at fail2ban.

 Should be able to do that for you.
 
 Jan Hugo
 
 
 On 5/23/22 21:11, Lloyd Zusman wrote:
 
 > I'm running dovecot 2.2.13 under Debian 8.

 > I'd like to force an immediate TCP socket disconnect
 > after any imap login attempt that fails.
 >
 > Right now, if invalid credentials are supplied
 > during an imap login, the client can keep retrying
 > logins with different credentials. However, I want
 > to prevent that from occurring by causing the socket
 > connection to be closed as soon as there is any
 > failed login attempt.
 >
 > I haven't been able to find any dovecot
 > configuration setting which could control this
 > behavior, but I'm hoping that I just missed
 > something.
 >
 > Thank you very much for any suggestions.
 >
 >
 > --
 >  hippo...@gmail.com
 >  Take a hippopotamus to lunch today.
 >

Re: Force TCP socket disconnect on imap login failure?

2022-05-24 Thread Paul Kudla (SCOM.CA Internet Services Inc.) 



"-j REJECT --reject-with
tcp-reset" instead of DROP

are valid ideas

consider that if you update (in the background) and block the connection 
then dovecot (or any other process) should just block the traffic and 
timeout to close the connection anyways


fyi ??



Happy Tuesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 5/24/2022 12:18 AM, Péter Márton wrote:


Just for clarification (this probably won't help achieve your primary
goal to reset the connections):
Iptables can block future connections _and_ stop existing connections
to receive (and send) packets (even the command you posted). What it
can't do is closing existing connections (sending a FIN).
If the example you show can not block existing connections you have
somewhere before the chain a RELATED, ESTABLISHED rule with ACCEPT as
target. This is a common mistake. Your fail2ban rules have to come
_before_ you check for related and established connections.

I never tested this, but you could try using "-j REJECT --reject-with
tcp-reset" instead of DROP. Then at least a RST would be sent.

Hippo Man  ezt írta (időpont: 2022. máj. 23., H, 23:17):


OOPS! I incorrectly copied and pasted the iptables command in my previous 
message. Here is the correct iptables command:

iptables -I INPUT -p tcp -m multiport --destination-port 143,993 -d 
aaa.bbb.ccc.ddd -j DROP

This command successfully blocks *future* connections to ports 143 and 993 from 
that IP address, but as I mentioned, it doesn't kill the currently open 
connection.

--
  hippo...@gmail.com
  Take a hippopotamus to lunch today.


On Mon, May 23, 2022 at 4:54 PM Hippo Man  wrote:


Thank you, but fail2ban doesn't do what I need. Here is why ...

I have used fail2ban and also my own homegrown log monitor program for this 
purpose. In both cases, I can detect the failed imap logins and then cause the 
following command to be run ...

iptables -I INPUT -p tcp --destination-port aaa.bbb.ccc.ddd -j DROP

However, this does not drop connections that are existing and already open. It 
will only drop *future* connections from that IP address to port 143.

This is why I want to kill the existing connection. Even after that "iptables" 
command is issued, the entity which is connected to the imap port can continue to send 
more and more imap commands.

If I can drop the TCP connection as soon as an imap login fails and also issue that kind 
of "iptables" command, then the client would have to reconnect in order to 
retry other login attempts. Those future connections would then be successfully blocked 
by that iptables rule.

And even if I issue a "tcpdrop" command instead of just the "iptables" command, 
it doesn't kill the already-open connection. It just force-blocks future connections.

I'm thinking of patching the dovecot source code to create a personal version 
which immediately disconnects from the socket after login failure. Of course, I 
would prefer not to do that, if there is another way to accomplish this.

--
  hippo...@gmail.com
  Take a hippopotamus to lunch today.


On Mon, May 23, 2022 at 4:24 PM Jan Hugo Prins  wrote:


Look at fail2ban.
Should be able to do that for you.

Jan Hugo


On 5/23/22 21:11, Lloyd Zusman wrote:

I'm running dovecot 2.2.13 under Debian 8.

I'd like to force an immediate TCP socket disconnect after any imap login 
attempt that fails.

Right now, if invalid credentials are supplied during an imap login, the client 
can keep retrying logins with different credentials. However, I want to prevent 
that from occurring by causing the socket connection to be closed as soon as 
there is any failed login attempt.

I haven't been able to find any dovecot configuration setting which could 
control this behavior, but I'm hoping that I just missed something.

Thank you very much for any suggestions.

--
  hippo...@gmail.com
  Take a hippopotamus to lunch today.

Re: doveadm mailbox status -u p...@scom.ca -t all (syntax)

2022-05-24 Thread Paul Kudla (SCOM.CA Internet Services Inc.) 



yes did thanks

doveadm [-f formatter] mailbox status [-A|-u user|-F file] [-S 
socket_path] [-t] fields mailbox ...


My apologies for being so stupid, in the cyrus days (myhead is still 
stuck there) the mbox name was also the username


I am still seperating that in my head.

Noted for future 



Happy Tuesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 5/24/2022 4:51 AM, Aki Tuomi wrote:


You might want to add `INBOX` to the command?

Aki


On 24/05/2022 00:34 Paul Kudla (SCOM.CA Internet Services Inc.)  
wrote:

  
Ok I know this is a general question and at my level I should be able to

figure this out

all i want is the complete status of an inbox ?





# doveadm mailbox status -u p...@scom.ca -t all

keeps returning 


doveadm mailbox status [-u |-A] [-S ] 
 [...]

ie no specific error.

and no status answer

just looking for default info ?


--


Happy Monday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

Re: Force TCP socket disconnect on imap login failure?

2022-05-24 Thread Jochen Bern 

On 24.05.22 09:36, Jan Hugo Prins wrote:
- The below commands drops ALL future connections to the IMAP ports and 
not just the one from that specific IP address.


On 5/23/22 23:16, Hippo Man wrote:
OOPS! I incorrectly copied and pasted the iptables command in my 
previous message. Here is the correct iptables command:


iptables -I INPUT -p tcp -m multiport --destination-port 143,993 -d 
aaa.bbb.ccc.ddd -j DROP


This command successfully blocks *future* connections to ports 143 and 
993 from that IP address, but as I mentioned, it doesn't kill the 
currently open connection.


That's because the "correct" iptables command still uses "-d" instead of 
the "-s" that'd match the "*from* that IP address" specification. ;-)


Even if you don't have a tool at hand that can tear down the existing 
TCP connection, and don't want to give up the ESTABLISHED-ACCEPT rule's 
priority (it's some additional burden to the CPU to match *all* incoming 
IMAP(S) packets against the blocklist, after all), you could always 
render it effectively unusable by setting a (blackhole) host route for 
the IP.


Regards,
--
Jochen Bern
Systemingenieur

Binect GmbH


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Force TCP socket disconnect on imap login failure?

2022-05-24 Thread Paul Kudla (SCOM.CA Internet Services Inc.) 



for what its worth this is a python script that i use for the database 
driven iptables updater for my asterisk server


again same ideas but it gets the job done.

It's a lot of work to get stuff like this going but may help point 
someone in the right directions balance wise pending on there system / 
network setup.


The django script is intelligent as it looks at the ip addresses already 
blacklisted and updates the list adding or subtracting ip address 
changes within the database


can answer in more detail, mainly for reference.

example iptables output :

# /sbin/iptables -L INPUT -n | more
Chain INPUT (policy ACCEPT)
target prot opt source   destination
ACCEPT all  --  92.204.135.144   0.0.0.0/0
ACCEPT all  --  104.205.0.0/16   0.0.0.0/0
ACCEPT all  --  174.95.0.0/160.0.0.0/0
ACCEPT all  --  174.94.0.0/160.0.0.0/0
ACCEPT all  --  174.93.0.0/160.0.0.0/0
ACCEPT all  --  174.92.0.0/160.0.0.0/0
ACCEPT all  --  174.91.0.0/160.0.0.0/0
ACCEPT all  --  174.90.0.0/160.0.0.0/0
ACCEPT all  --  174.89.0.0/160.0.0.0/0
ACCEPT all  --  174.88.0.0/160.0.0.0/0
ACCEPT all  --  209.171.88.0/24  0.0.0.0/0
ACCEPT all  --  72.12.174.2300.0.0.0/0
ACCEPT all  --  72.136.0.0/160.0.0.0/0
ACCEPT all  --  10.0.0.0/8   0.0.0.0/0
ACCEPT all  --  67.171.153.140   0.0.0.0/0
ACCEPT all  --  99.235.148.110   0.0.0.0/0
ACCEPT all  --  67.69.69.0/240.0.0.0/0
ACCEPT all  --  204.237.0.0/16   0.0.0.0/0
ACCEPT all  --  65.39.148.0/25   0.0.0.0/0
ACCEPT all  --  72.143.119.178   0.0.0.0/0
ACCEPT all  --  99.244.67.2440.0.0.0/0
ACCEPT all  --  69.60.225.80 0.0.0.0/0
ACCEPT all  --  198.200.68.0/24  0.0.0.0/0
ACCEPT all  --  185.58.85.0/24   0.0.0.0/0
ACCEPT all  --  172.97.0.0/160.0.0.0/0
ACCEPT all  --  184.151.0.0/16   0.0.0.0/0
DROP   tcp  --  0.0.0.0/00.0.0.0/0   tcp dpt:5038
DROP   tcp  --  0.0.0.0/00.0.0.0/0   tcp dpt:80
DROP   all  --  213.175.208.0/24 0.0.0.0/0
DROP   all  --  50.24.0.0/24 0.0.0.0/0
DROP   all  --  20.98.78.0/240.0.0.0/0
DROP   all  --  116.106.197.0/24 0.0.0.0/0
DROP   all  --  45.95.169.0/24   0.0.0.0/0
DROP   all  --  193.253.211.0/24 0.0.0.0/0
DROP   all  --  65.49.20.0/240.0.0.0/0
DROP   all  --  107.189.1.0/24   0.0.0.0/0
DROP   all  --  107.189.3.0/24   0.0.0.0/0
DROP   all  --  209.141.51.0/24  0.0.0.0/0
DROP   all  --  75.119.155.0/24  0.0.0.0/0
DROP   all  --  45.133.1.0/240.0.0.0/0
DROP   all  --  185.166.84.0/24  0.0.0.0/0
DROP   all  --  116.105.218.0/24 0.0.0.0/0
DROP   all  --  216.37.36.0/24   0.0.0.0/0
DROP   all  --  216.245.220.0/24 0.0.0.0/0
DROP   all  --  205.185.121.0/24 0.0.0.0/0


based on django model(s)

#IP Blacklistings   
class IpBlock(models.Model):
id  = models.AutoField(primary_key=True)
	ipaddress 		= models.CharField(verbose_name='IP Address', 
max_length=40, null=True, blank=False,unique=False)
	action  	= models.CharField(max_length=15, 
choices=ip_action_choices, verbose_name='Firewall', default = 'D', 
null=True, blank=True)
	syslog			= models.TextField(verbose_name='Last Syslog', 
max_length=1000, null=True, blank=True, default = '')
	whois			= models.TextField(verbose_name='Whois', max_length=1500, 
null=True, blank=True, default = '')

asterisk= models.BooleanField('Asterisk', default = 
False )
	last_datetime	= models.DateTimeField(verbose_name='Date Last Updated 
Server', null=True, blank=True, default = timezone.now)
	accountid	= models.ForeignKey(Contacts,verbose_name='Reference', 
default = '2594',null=False, blank=True,related_name = 'blacklist_soldto')
	syslog2			= models.TextField(verbose_name='Last Syslog', 
max_length=1000, null=True, blank=True, default = 'Denied due to 
Unauthorized Use')
	last_program	= models.CharField(verbose_name='Last Program', 
max_length=20, null=True, blank=True, default = '')




class Meta:
ordering = ['ipaddress',]
db_table = u'blocked_ip'
verbose_name = u"Currently Blocked IP's"
verbose_name_plural = u"Currently Blocked Ip's"

class IpCount(models.Model):
	ipaddress = models.GenericIPAddressField(verbose_name='IP Address', 
max_length=17,blank=False,primary_key=True, unique=True)
	counthour   			= models.IntegerField(verbose_name='Current IP Count 
This Hour', null=True, blank=True, default='0')
	counttotal  			= models.IntegerField(verbose_name='Total IP Count This 
Month', null=True, blank=True, default='0')
	asterisk_counthour   	= models.IntegerField(verbose_name='Asterisk

Re: doveadm mailbox status -u p...@scom.ca -t all (syntax)

2022-05-24 Thread Aki Tuomi 
You might want to add `INBOX` to the command?

Aki

> On 24/05/2022 00:34 Paul Kudla (SCOM.CA Internet Services Inc.) 
>  wrote:
> 
>  
> Ok I know this is a general question and at my level I should be able to 
> figure this out
> 
> all i want is the complete status of an inbox ?
> 
> 
> 
> 
> 
> # doveadm mailbox status -u p...@scom.ca -t all
> 
> keeps returning 
> 
> 
> doveadm mailbox status [-u |-A] [-S ]  
>  [...]
> 
> ie no specific error.
> 
> and no status answer
> 
> just looking for default info ?
> 
> 
> -- 
> 
> 
> Happy Monday !!!
> Thanks - paul
> 
> Paul Kudla
> 
> 
> Scom.ca Internet Services 
> 004-1009 Byron Street South
> Whitby, Ontario - Canada
> L1N 4S3
> 
> Toronto 416.642.7266
> Main 1.866.411.7266
> Fax 1.888.892.7266
> Email p...@scom.ca

Re: Force TCP socket disconnect on imap login failure?

2022-05-24 Thread Jan Hugo Prins 

Just a few comments.

- The below commands drops ALL future connections to the IMAP ports and 
not just the one from that specific IP address.
- It all depends on the ordering of the rest of your iptables rules. A 
lot of iptables setups have an accept related / established in the top 
of the INPUT chain and then indeed the traffic will continue as long as 
the connection is established. If you put a correct drop rule in the top 
of your iptables INPUT chain it will block all traffic including any 
related/established.


Fail2Ban is able to insert such a drop rule in the top of the INPUT 
chain and thereby block all further tries.

This is exactly how I have setup my fail2ban and it works.

The first few lines of my iptables input chain look like this:

  29M 2249M f2b-dovecot  tcp  --  *  * 0.0.0.0/0    
0.0.0.0/0    multiport dports 110,143,993,995
9969K 2545M f2b-sasl   tcp  --  *  *   0.0.0.0/0 
0.0.0.0/0    multiport dports 25,465

9691K 2788M ACCEPT all  --  lo *   0.0.0.0/0 0.0.0.0/0
 134M  257G ACCEPT all  --  *  *   0.0.0.0/0 
0.0.0.0/0    state RELATED,ESTABLISHED


Jan Hugo Prins


On 5/23/22 23:16, Hippo Man wrote:
OOPS! I incorrectly copied and pasted the iptables command in my 
previous message. Here is the correct iptables command:


iptables -I INPUT -p tcp -m multiport --destination-port 143,993 -d 
aaa.bbb.ccc.ddd -j DROP


This command successfully blocks *future* connections to ports 143 and 
993 from that IP address, but as I mentioned, it doesn't kill the 
currently open connection.


--
hippo...@gmail.com
 Take a hippopotamus to lunch today.


On Mon, May 23, 2022 at 4:54 PM Hippo Man  wrote:

Thank you, but fail2ban doesn't do what I need. Here is why ...

I have used fail2ban and also my own homegrown log monitor program
for this purpose. In both cases, I can detect the failed imap
logins and then cause the following command to be run ...

iptables -I INPUT -p tcp --destination-port aaa.bbb.ccc.ddd -j DROP

However, this does not drop connections that are existing and
already open. It will only drop *future* connections from that IP
address to port 143.

This is why I want to kill the existing connection. Even after
that "iptables" command is issued, the entity which is connected
to the imap port can continue to send more and more imap commands.

If I can drop the TCP connection as soon as an imap login fails
and also issue that kind of "iptables" command, then the client
would have to reconnect in order to retry other login attempts.
Those future connections would then be successfully blocked by
that iptables rule.

And even if I issue a "tcpdrop" command instead of just the
"iptables" command, it doesn't kill the already-open connection.
It just force-blocks future connections.

I'm thinking of patching the dovecot source code to create a
personal version which immediately disconnects from the socket
after login failure. Of course, I would prefer not to do that, if
there is another way to accomplish this.

-- 
hippo...@gmail.com

 Take a hippopotamus to lunch today.


On Mon, May 23, 2022 at 4:24 PM Jan Hugo Prins 
wrote:

Look at fail2ban.
Should be able to do that for you.

Jan Hugo


On 5/23/22 21:11, Lloyd Zusman wrote:

I'm running dovecot 2.2.13 under Debian 8.

I'd like to force an immediate TCP socket disconnect after
any imap login attempt that fails.

Right now, if invalid credentials are supplied during an imap
login, the client can keep retrying logins with different
credentials. However, I want to prevent that from occurring
by causing the socket connection to be closed as soon as
there is any failed login attempt.

I haven't been able to find any |dovecot| configuration
setting which could control this behavior, but I'm hoping
that I just missed something.

Thank you very much for any suggestions.

-- 
hippo...@gmail.com

 Take a hippopotamus to lunch today.

Re: Force TCP socket disconnect on imap login failure?

2022-05-24 Thread Thomas Zajic 

* Hippo Man, 23.05.22 22:54


[...] However, this does not drop connections that are existing and
already open. It will only drop *future* connections from that IP
address to port 143.

This is why I want to kill the existing connection. Even after that
"iptables" command is issued, the entity which is connected to the
imap port can continue to send more and more imap commands. [...]

If your version of 'ss' is recent anough, you can use 'ss -k' to
instantly kill an open connection. Other tools you could try are
'killcx' and 'tcpkill' (part of the 'dsniff' toolkit):

http://killcx.sourceforge.net/
https://www.monkey.org/~dugsong/dsniff/

HTH
Thomas