[Dovecot] Configuring dovecot to use tcp wrappers
Greetings,
I am looking to implement tcp wrappers with dovecot; I am using the
following two links as guides to configuration:
http://blog.acsystem.sk/linux/brute-force-attack-dovecot-imap-server-blocking-ip-with-tcp-wrappers
http://wiki2.dovecot.org/LoginProcess (you need to go to the very bottom)
I'm concerned in making the configuration correctly.
If you set
login_access_sockets = tcpwrap
in /etc/dovecot/dovecot.conf
Then everything accessing ports controlled by dovecot (and open by
iptables) is blocked.
So my question relates to the second part of the configuration examples in
the links above:
service tcpwrap {
unix_listener login/tcpwrap {
group = $default_login_user
mode = 0600
user = $default_login_user
}
}
Where does this code get placed (in dovecot.conf or in one of the files in
/etc/dovecot/conf.d)?
And regarding $default_login_user, it appears in a comment line in
/etc/dovecot/conf.d/10-master.conf
Should that line be uncommented?
Much thanks.
Max Pyziur
p...@brama.com
Report of dovecot -n:
pyz@pangea ~> dovecot -n
# 2.1.1: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-358.2.1.el6.x86_64 x86_64 CentOS release 6.4 (Final)
disable_plaintext_auth = no
mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u
mbox_write_locks = fcntl
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = pam
}
ssl = no
ssl_cert =
Re: [Dovecot] script to detect dictionary attacks
On Sat, 6 Apr 2013, Reindl Harald wrote: Hi has someone a script which can filter out dictionary attacks from /var/log/maillog and notify about the source-IPs? i know about fail2ban and so on, but i would like to have a mail with the IP address for two reasons and avoid fail2ban at all because it does not match in the way we maintain firewalls * add the IP to a distributed "iptables-block.sh" and distribute it to any server with a comment and timestamp * write a abuse-mail to the ISP Thinking tangentially to this proposal, are there blacklists (BLs) maintained regarding known IPs perpetrating attempts at pop/imap intrusions, much in the same way CBL does for spam, and OpenBL (http://www.openbl.org/lists.html) does for ssh (primarily)? That way, you leave your iptables configuration status quo, and create a mechanism to use the resource (the BLs) to populate your /etc/hosts.deny file, using tcp_wrappers to prevent intrusion/brute force attacks on service that have open ports in the firewall. Thanks, Max Pyziur p...@brama.com
Re: [Dovecot] script to detect dictionary attacks
On Sat, 6 Apr 2013, Reindl Harald wrote: Am 06.04.2013 22:55, schrieb Max Pyziur: On Sat, 6 Apr 2013, Reindl Harald wrote: has someone a script which can filter out dictionary attacks from /var/log/maillog and notify about the source-IPs? i know about fail2ban and so on, but i would like to have a mail with the IP address for two reasons and avoid fail2ban at all because it does not match in the way we maintain firewalls * add the IP to a distributed "iptables-block.sh" and distribute it to any server with a comment and timestamp * write a abuse-mail to the ISP Thinking tangentially to this proposal, are there blacklists (BLs) maintained regarding known IPs perpetrating attempts at pop/imap intrusions, much in the same way CBL does for spam, and OpenBL (http://www.openbl.org/lists.html) does for ssh (primarily)? That way, you leave your iptables configuration status quo, and create a mechanism to use the resource (the BLs) to populate your /etc/hosts.deny file, using tcp_wrappers to prevent intrusion/brute force attacks on service that have open ports in the firewall i don't know but in fact i want not rely on automatisms and blacklists CBL is fairly reliable; you can screen it based on originating countries (I use ip2cc available from perl-IP-Country-2.27-1.el6.noarch to find the originating country for particular ips). I'm tentatively using OpenBL to block dictionary attacks by way of ssh. By way of logwatch, I see enough dictionary attacks on dovecot; I take those ips and hope to use them soon to block dovecot attacks. The problem is the "aging": there needs to be a mechanism that determines whether or not an ip continues to be a threat. The BLs are good for that - once an ip or, say, the first three octets, diminish in frequency of attacks, then based on some threshold that you set, you can remove that ip (or set of ips) as a hostile threat to a particular service that you are running on your server/servers. sometimes i recognize a dictionary attack because "tail -f" on the mailserver is running in background and after come back from a cigarette break i look a minute in the output and if i see attacks i add the IP after a whois to "iptables-block.sh" so i do not want to rely on automagic and if some IP is added to whatever blacklist hours or days later, i want simply a one-time mail notify to look NOW in maillog and take action or ignore it depending on the count and source if it is some ISP from a country far away -> block it if it is the fivth attempt from this ISP -> block the whole subnet if it is a major ISP of the country i live (asutria) -> only absue mail to the ISP I understand the logic; I set a low threshold to label something being a threat for anything originating in China; the threshold is higher for things closer to home, since most of the traffic to the one server I control is from there. MP p...@brama.com
Re: [Dovecot] Configuring dovecot to use tcp wrappers
> On 5.4.2013, at 18.19, Max Pyziur wrote:
>
>> So my question relates to the second part of the configuration examples
>> in the links above:
>>
>> service tcpwrap {
>> unix_listener login/tcpwrap {
>>group = $default_login_user
>>mode = 0600
>>user = $default_login_user
>> }
>> }
>>
>> Where does this code get placed (in dovecot.conf or in one of the files
>> in /etc/dovecot/conf.d)?
>
> Doesn't really matter. I'd put it into conf.d/10-master.conf which has
> other services.
>
>> And regarding $default_login_user, it appears in a comment line in
>> /etc/dovecot/conf.d/10-master.conf
>>
>> Should that line be uncommented?
>
> Just leave it uncommented and it'll use the default value (which it has
> been using so far already).
Much thanks for your reply.
However, once I make the changes to the configuration files, I get the
following error when restarting dovecot:
root@brama /etc/dovecot/conf.d> service dovecot restart
Stopping Dovecot Imap: [ OK ]
Starting Dovecot Imap: doveconf: Fatal: Error in configuration file
/etc/dovecot/dovecot.conf: service(tcpwrap): executable is empty
[FAILED]
Any advice on how to proceed?
Thank you again,
Max Pyziur
p...@brama.com
Re: [Dovecot] Configuring dovecot to use tcp wrappers
On Mon, 8 Apr 2013, Timo Sirainen wrote: On 8.4.2013, at 1.31, "Max Pyziur" wrote: However, once I make the changes to the configuration files, I get the following error when restarting dovecot: root@brama /etc/dovecot/conf.d> service dovecot restart Stopping Dovecot Imap: [ OK ] Starting Dovecot Imap: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf: service(tcpwrap): executable is empty [FAILED] You most likely didn't compile Dovecot with tcpwrap support. See if you have /usr/lib*/dovecot/tcpwrap binary? Any idea, then, as to where those CentOS dovecot src.rpms are kept? Max Pyziur p...@brama.com
Re: [Dovecot] Configuring dovecot to use tcp wrappers
On Sun, 7 Apr 2013, Max Pyziur wrote: On Mon, 8 Apr 2013, Timo Sirainen wrote: On 8.4.2013, at 1.31, "Max Pyziur" wrote: However, once I make the changes to the configuration files, I get the following error when restarting dovecot: root@brama /etc/dovecot/conf.d> service dovecot restart Stopping Dovecot Imap: [ OK ] Starting Dovecot Imap: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf: service(tcpwrap): executable is empty [FAILED] You most likely didn't compile Dovecot with tcpwrap support. See if you have /usr/lib*/dovecot/tcpwrap binary? Any idea, then, as to where those CentOS dovecot src.rpms are kept? Yanking my own chain: http://vault.centos.org/6.4/updates/Source/SPackages/ Max Pyziur p...@brama.com [...recycle ...]
Re: [Dovecot] Configuring dovecot to use tcp wrappers
> On 5.4.2013, at 18.19, Max Pyziur wrote:
>
>> So my question relates to the second part of the configuration examples
>> in the links above:
>>
>> service tcpwrap {
>> unix_listener login/tcpwrap {
>>group = $default_login_user
>>mode = 0600
>>user = $default_login_user
>> }
>> }
>>
>> Where does this code get placed (in dovecot.conf or in one of the files
>> in /etc/dovecot/conf.d)?
>
> Doesn't really matter. I'd put it into conf.d/10-master.conf which has
> other services.
>
>> And regarding $default_login_user, it appears in a comment line in
>> /etc/dovecot/conf.d/10-master.conf
>>
>> Should that line be uncommented?
>
> Just leave it uncommented and it'll use the default value (which it has
> been using so far already).
After some delay, I'm returning to this project.
I've made the changes per above.
I've put in a test ip address in /etc/hosts.deny like so:
dovecot: 166.84.1.2
And then I execute the following from 166.84.1.2 to port 110:
bash-3.2$ telnet SiteWhereImConfiguringDovecot 110
Trying SiteWhereImConfiguringDovecot...
Connected to SiteWhereImConfiguringDovecot.
Escape character is '^]'.
+OK Dovecot ready.
quit
+OK Logging out
Connection closed by foreign host.
If dovecot is configured with tcp wrappers (which it is; built on a CentOS
6 system, installed and configured per instructions),
and the firewall has ports 110 and 143 open,
but I'm blocking a particular host through /etc/hosts.deny
then I should not be able to telnet to either port 110 or 143; both
requests should be blocked from the originating IP, no?
Much thanks for your help,
Max Pyziur
p...@brama.com
Re: [Dovecot] Configuring dovecot to use tcp wrappers
On Thu, 11 Apr 2013, lists-dovecot wrote: [... snip ...] I've put in a test ip address in /etc/hosts.deny like so: dovecot: 166.84.1.2 And then I execute the following from 166.84.1.2 to port 110: bash-3.2$ telnet SiteWhereImConfiguringDovecot 110 Trying SiteWhereImConfiguringDovecot... Connected to SiteWhereImConfiguringDovecot. Escape character is '^]'. +OK Dovecot ready. quit +OK Logging out Connection closed by foreign host. If dovecot is configured with tcp wrappers (which it is; built on a CentOS 6 system, installed and configured per instructions), and the firewall has ports 110 and 143 open, but I'm blocking a particular host through /etc/hosts.deny then I should not be able to telnet to either port 110 or 143; both requests should be blocked from the originating IP, no? Much thanks for your help, Max Pyziur p...@brama.com What are you using as the service name in hosts.deny? I think it should be "imap-login:", (that's what I have as an historical/left-over entry) but don't have dovecot configured with wrappers on my current centos system so can't test this to be certain. Also make certain that you don't have anything in your hosts.allow file that would override the hosts.deny entry. I was using dovecot, until you convinced me to do otherwise. Putting pop3 in /etc/hosts.deny with the associated ip seems to work, like so: pop3: 166.84.1.2 or imap imap: 166.84.1.2 (are there any challenges to this?) Given that services such sendmail and sshd respond to sshd: xxx.xxx.xxx.xxx sendmail: xxx.xxx.xxx.xxx I thought that it should be dovecot: xxx.xxx.xxx.xxx As a suggestion, can dovecot binaries for distributions such as CentOS and Fedora be compiled with tcp wrappers by default? - Richard Much thanks. MP p...@brama.com
Re: Mailing list test
On Fri, 21 Nov 2014, Timo Sirainen wrote: Apparently this list has somehow broken.. Not really sure what the problem is, lets see what happens to this mail. Any chance of putting "[dovecot]" back in the subject line? Thanks. Max Pyziur p...@brama.com
