It seems there was some kind of attack against dovecot on my server (CentOS-5.5) with a hundred or so logwatch entries like: ========================================= **Unmatched Entries** dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user admin dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user webmaster =========================================
I googled for this, and it seems quite a common occurrence.
Basically, I'm wondering whether this is best met at the dovecot level, or at my firewall? I'm running shorewall, and I see advice to impose a time-interval between successive attempts like these, but I'm not sure of the best way to do this?
On Mon, 23 Aug 2010, Timothy Murphy wrote:
It seems there was some kind of attack against dovecot on my server (CentOS-5.5) with a hundred or so logwatch entries like: ========================================= **Unmatched Entries** dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user admin dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user webmaster =========================================
I googled for this, and it seems quite a common occurrence.
Basically, I'm wondering whether this is best met at the dovecot level, or at my firewall? I'm running shorewall, and I see advice to impose a time-interval between successive attempts like these, but I'm not sure of the best way to do this?
I can recommend pam_shield for something like this. pam_shield is a generic solution for blocking unsuccessful login attempts. You can specify the number of failures within an interval, and after what grace time the entries are removed. I have been using it for years !
pam_shield by default works by null-routing offending IP addresses, but you can also make it add reject tools in iptables if you prefer this.
Since pam_shield works through pam, it is more efficient than anything that scans logfiles and it will work immediately (and not only after some rescan job). And the most important benefit, it works for any service in pam.
pam_shield is available from RPMforge and requires a minimum of configuration.
Kind regards,
On 08/23/2010 03:58 PM, Rob Kampen wrote:
pam_shield is available from RPMforge and requires a minimum of configuration.
Never heard of this one before - just installed and simple to configure. I note that version 0.9.3 was released April 2010 and includes a supposed memory leak fix - maybe time for an update?
given the overall lower cost of running pam_shield, it makes for a much better solution than denyhosts or fail2ban ( for many situations ). You just need to be careful that you dont end up DoS'ing yourself, so weigh in some typical scenarios and test in a sandbox environment.
- KB
On Mon, 23 Aug 2010, Karanbir Singh wrote:
On 08/23/2010 03:58 PM, Rob Kampen wrote:
pam_shield is available from RPMforge and requires a minimum of configuration.
Never heard of this one before - just installed and simple to configure. I note that version 0.9.3 was released April 2010 and includes a supposed memory leak fix - maybe time for an update?
given the overall lower cost of running pam_shield, it makes for a much better solution than denyhosts or fail2ban ( for many situations ). You just need to be careful that you dont end up DoS'ing yourself, so weigh in some typical scenarios and test in a sandbox environment.
You can whitelist known IP addresses (or FQDNs), but indeed there is the possibility that someone else (from your IP address) can DOS you as it is IP-based. Although that risk is limited, you need to understand how it works :)
On Mon, 23 Aug 2010, Rob Kampen wrote:
Dag Wieers wrote:
pam_shield is available from RPMforge and requires a minimum of configuration.
Never heard of this one before - just installed and simple to configure. I note that version 0.9.3 was released April 2010 and includes a supposed memory leak fix - maybe time for an update?
Great, I have made an update. If the package could be improved (regarding the experience you have had installing) let me know. If we can make it easier, we should !
Kind regards,
-
Dag Wieers -
Karanbir Singh -
Rob Kampen -
Timothy Murphy