[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Dovecot configuration issues for IMAP/POP3 (squeeze)

Glenn English grabbed a keyboard and wrote:
> On Nov 18, 2012, at 2:00 PM, David Guntner wrote:
>> Assuming I could get a meaningful log entry with each bad attempt,
>> I could have fail2ban act - but that's still pretty useless since
>> as far as I understand it; telling iptables to DROP a given IP
>> address doesn't do anything to a connection that's already open.
>> Someone please feel free to correct me if my understanding on that
>> is not correct. :-)
> I use Linux and IPtables and fail2ban, and the way it seems to work
> here is: There's an IPtables rule that checks for and accepts
> established connection packets, but fail2ban inserts its block chain
> in front of that, at the very top of the Input chain. So a packet
> from a wayward IP is blocked/dropped if fail2ban doesn't like it,
> before the fact that this is an established connection is discovered.
> So if you had f2b watching for bad logins, I think you'd get exactly
> what you want, assuming you could get meaningful log entries. (I
> wrote my IPtables packet filter, though, so others are almost
> certainly different.)

Without seeing your config files, I have no idea how you have it set up.
 I've been running it for years on my existing system and set it up
according to the instructions.  Filters config files are set up for
particular ports like this, and fail2ban injects its own chains into the
main INPUT chain in iptables when it starts.

On that existing system, my iptables currently looks like this:

> # iptables --list
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> fail2ban-ftp  tcp  --  anywhere             anywhere             tcp dpt:ftp
> fail2ban-postfix  tcp  --  anywhere          anywhere             tcp dpt:smtp
> fail2ban-pop3  tcp  --  anywhere             anywhere             tcp dpt:pop3
> fail2ban-imap  tcp  --  anywhere             anywhere             tcp dpt:imap2
> fail2ban-sasl  tcp  --  anywhere             anywhere             tcp dpt:smtp
> fail2ban-SSH  tcp  --  anywhere             anywhere             tcp dpt:ssh
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> Chain fail2ban-SSH (1 references)
> target     prot opt source               destination
> RETURN     all  --  anywhere             anywhere
> Chain fail2ban-ftp (1 references)
> target     prot opt source               destination
> RETURN     all  --  anywhere             anywhere
> Chain fail2ban-imap (1 references)
> target     prot opt source               destination
> RETURN     all  --  anywhere             anywhere
> Chain fail2ban-pop3 (1 references)
> target     prot opt source               destination
> RETURN     all  --  anywhere             anywhere
> Chain fail2ban-postfix (1 references)
> target     prot opt source               destination
> RETURN     all  --  anywhere             anywhere
> Chain fail2ban-sasl (1 references)
> target     prot opt source               destination
> DROP       all  --  rrcs-50-84-168-222.sw.biz.rr.com  anywhere
> DROP       all  --  firstt3.lnk.telstra.net  anywhere
> DROP       all  --  wsip-24-249-159-209.tu.ok.cox.net  anywhere
> DROP       all  --         anywhere
> DROP       all  --  mail.ifsi.com        anywhere
> DROP       all  --  c-98-211-191-10.hsd1.fl.comcast.net  anywhere
> DROP       all  --  23-25-216-129-static.hfc.comcastbusiness.net  anywhere
> DROP       all  --  host18-100-static.241-95-b.business.telecomitalia.it  anywhere
> DROP       all  --  static-149-136-145-212.ipcom.comunitel.net  anywhere
> DROP       all  --  173-162-251-81-NewEngland.hfc.comcastbusiness.net  anywhere
> DROP       all  --  9.Red-80-39-125.staticIP.rima-tde.net  anywhere
> DROP       all  --        anywhere
> DROP       all  --  adsl-068-213-103-027.sip.jan.bellsouth.net  anywhere
> DROP       all  --  mail.jccyofrockland.org  anywhere
> DROP       all  --  adsl-108-71-19-30.dsl.hstntx.sbcglobal.net  anywhere
> DROP       all  --       anywhere
> DROP       all  --  208-53-75-36.static.chico.ca.digitalpath.net  anywhere
> DROP       all  --  wsip-98-189-122-23.oc.oc.cox.net  anywhere
> DROP       all  --  tollgate123.demon.co.uk  anywhere
> DROP       all  --  static-31-84-61-95.ipcom.comunitel.net  anywhere
> DROP       all  --  net-93-64-210-123.cust.dsl.vodafone.it  anywhere
> DROP       all  --  75-149-2-246-Pennsylvania.hfc.comcastbusiness.net  anywhere
> DROP       all  --  39.Red-79-144-62.dynamicIP.rima-tde.net  anywhere
> DROP       all  --  mail2.servicesfuneraires.fr  anywhere
> DROP       all  --  75-151-109-166-Washington.hfc.comcastbusiness.net  anywhere
> DROP       all  --  72.Red-80-37-10.staticIP.rima-tde.net  anywhere
> DROP       all  --  sacrtt6.lnk.telstra.net  anywhere
> DROP       all  --  anywhere
> DROP       all  --  74-84-111-214.client.mchsi.com  anywhere
> DROP       all  --  rrcs-24-106-174-74.se.biz.rr.com  anywhere
> DROP       all  --  23-24-12-243-static.hfc.comcastbusiness.net  anywhere
> DROP       all  --  CPE-120-146-193-153.static.vic.bigpond.net.au  anywhere
> DROP       all  --          anywhere
> DROP       all  --  static-50-39-90-242.bvtn.or.frontiernet.net  anywhere
> DROP       all  --  mail.stratcoglobal.com  anywhere
> DROP       all  --  89-119-220-57-static.albacom.net  anywhere
> DROP       all  --  ool-4b7fecc2.static.optonline.net  anywhere
> DROP       all  --  93-63-6-214.ip25.fastwebnet.it  anywhere
> DROP       all  --  anywhere
> RETURN     all  --  anywhere             anywhere

On a side note:  Yea, for some reason, the last couple of days my system
has been a "let's try to break in via SASL" magnet.  Since I don't
really use that, I finally decided to just turn that feature off in
Postfix for right now.  The entries above will disappear with time as
they expire in fail2ban.

Anyway, the above demonstrates how it function:  You will note that it
routes traffic through its various chains based on what port the
incoming traffic is going to (ftp, pop3, ssh, etc.), as shown by the
"dpt:" entries at the top.  In the above example, the fail2ban-sasl
chain is filtering incoming traffic on the SMTP port through it.
There's a SASL filter rule that watches the syslog for a particular
string that identifies it as an invalid SASL login.  When it sees the
number of attempts that it's configured to allow, it takes the IP
address information from that log entry and then sticks a DROP rule in
its fail2ban-sasl chain.  But that is *only* controlling incoming
traffic on that one particular port.  That IP address can connect via
any other port; it's only being blocked from port 25.  I've tested this
behavior and can confirm that it works that way.

I realize that a lot of the above you probably already know about; I was
only illustrating that fail2ban doesn't just de facto block everything
when a filter rule is tripped.  At least, not as set up "out of the
box." :-)

You may have noticed that there are two chains that are routing SMTP
traffic ("dpt:smtp") - that's 'cause I've got two filters that are
routing for monitoring two different items.  If either of them trip;
port 25 will be blocked for a while. :-)

> OTOH, some of the bad attempts I get don't log the remote IP, so they
> aren't meaningful to f2b and don't get blocked...

Yup. :-)


Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: