PAM authentation

[mibrahim]

Hi all

how can i protect dovect from dictionary attack, my Dovect server authenticate users from 389 server (LDAP). is there is any way to prevent a certain ip from making authentication after the third failure to 1 hour ?

Thank you

[nplusplus]

Your 389 server should be configured appropriately for account lockouts. If you control the 389 server, have a look here: 7.1.*Managing the Password Policy. If you do not control the server, shame on your admin for not implementing account lockout policies.

N

[Mudgen]

Do you mean dovecot?

[mibrahim]

Mudgen, Yes i mean dovecot.
nplusplus, Thank you for the link, it was useful, but i want to block the hacker IP from trying to connect to my dovecot server. hacker attack make dovecot process take 100% from server resources, and users could not work till i kill dovecot process and restart the service.

[abarclay]

I do this on my server. There is a trick, though. You don't want to ban hosts from which a very small number of login failures were received or you'll risk banning legitimate users.

cat /var/log/secure |grep tty=docvecot | grep -v "rhost= " |sed -e "s/.*ffff://" -e "s/.*rhost=//" -e "s/ .*//" | sort |uniq -c |while read count ip
do
if [ $count -gt 5 ]
then
/sbin/iptables -I INPUT -s $ip -j DROP
fi
done

[Mudgen]

Mudgen, Yes i mean dovecot.
nplusplus, Thank you for the link, it was useful, but i want to block the hacker IP from trying to connect to my dovecot server. hacker attack make dovecot process take 100% from server resources, and users could not work till i kill dovecot process and restart the service.

You can handle dovecot/imap and other applications/protocols via the REGEXP functionality of denyhosts. Here's a thread that describes a Dovecot-specific regexp:
https://www.centos.org/modules/newbb...topic_id=23832
See the second regexp in post 4.

One thing to watch out for besides low thresholds (per abarclay): if you have a webmail server like Squirrelmail, the attempts will appear to come from 127.0.0.1, so someone banging on your webmail interface could lock out _everything_ trying to use localhost.

You can also do Dovecot attack protection with fail2ban.

Edit: Duh. You can put 127.0.0.1 in hosts.allow and avoid the lockout for Squirrelmail or the like, but of course you won't have denyhosts protection for it.