Find the answer to your Linux question:
Results 1 to 6 of 6
Hi all how can i protect dovect from dictionary attack, my Dovect server authenticate users from 389 server (LDAP). is there is any way to prevent a certain ip from ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined! mibrahim's Avatar
    Join Date
    Aug 2011
    Posts
    9

    PAM authentation


    Hi all

    how can i protect dovect from dictionary attack, my Dovect server authenticate users from 389 server (LDAP). is there is any way to prevent a certain ip from making authentication after the third failure to 1 hour ?

    Thank you

  2. #2
    Linux Newbie nplusplus's Avatar
    Join Date
    Apr 2010
    Location
    Charlotte, NC, USA
    Posts
    106
    Your 389 server should be configured appropriately for account lockouts. If you control the 389 server, have a look here: 7.1.*Managing the Password Policy. If you do not control the server, shame on your admin for not implementing account lockout policies.

    N

  3. #3
    Linux Enthusiast Mudgen's Avatar
    Join Date
    Feb 2007
    Location
    Virginia
    Posts
    664
    Do you mean dovecot?

  4. #4
    Just Joined! mibrahim's Avatar
    Join Date
    Aug 2011
    Posts
    9
    Mudgen, Yes i mean dovecot.
    nplusplus, Thank you for the link, it was useful, but i want to block the hacker IP from trying to connect to my dovecot server. hacker attack make dovecot process take 100% from server resources, and users could not work till i kill dovecot process and restart the service.

  5. #5
    Just Joined!
    Join Date
    Dec 2009
    Location
    California
    Posts
    98
    I do this on my server. There is a trick, though. You don't want to ban hosts from which a very small number of login failures were received or you'll risk banning legitimate users.

    cat /var/log/secure |grep tty=docvecot | grep -v "rhost= " |sed -e "s/.*ffff://" -e "s/.*rhost=//" -e "s/ .*//" | sort |uniq -c |while read count ip
    do
    if [ $count -gt 5 ]
    then
    /sbin/iptables -I INPUT -s $ip -j DROP
    fi
    done

  6. #6
    Linux Enthusiast Mudgen's Avatar
    Join Date
    Feb 2007
    Location
    Virginia
    Posts
    664

    PAM Authentication

    Quote Originally Posted by mibrahim View Post
    Mudgen, Yes i mean dovecot.
    nplusplus, Thank you for the link, it was useful, but i want to block the hacker IP from trying to connect to my dovecot server. hacker attack make dovecot process take 100% from server resources, and users could not work till i kill dovecot process and restart the service.
    You can handle dovecot/imap and other applications/protocols via the REGEXP functionality of denyhosts. Here's a thread that describes a Dovecot-specific regexp:
    https://www.centos.org/modules/newbb...topic_id=23832
    See the second regexp in post 4.

    One thing to watch out for besides low thresholds (per abarclay): if you have a webmail server like Squirrelmail, the attempts will appear to come from 127.0.0.1, so someone banging on your webmail interface could lock out _everything_ trying to use localhost.

    You can also do Dovecot attack protection with fail2ban.

    Edit: Duh. You can put 127.0.0.1 in hosts.allow and avoid the lockout for Squirrelmail or the like, but of course you won't have denyhosts protection for it.
    Last edited by Mudgen; 09-28-2011 at 10:40 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •