Dovecot bruteforce not stopped !

Post Reply
wclemo
Junior Member
Posts: 3
Joined: 01 Nov 2012, 05:27

Dovecot bruteforce not stopped !

Post by wclemo »

First to thank the CSF developers for giving us this wonderful product.
I have read and googled all the dovecot regex examples, and other users samples, but cannot find one that would work for me.

I have spent hours trying to self-help but unsuccessfully, due to my not being good in perl, or regex.
Am using Centos 6.3 and dovecot v2.0.9.
dovecot log file is in /var/log/dovecot-info.log (thus log dont display 'hostname' and appnameie, 'dovecot')
Notice also am not using ipv6 addresses

These are the bruteforce logs samples

Nov 01 06:43:09 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<administrator>, method=PLAIN, rip=110.234.127.52, lip=x.x.y.z
Nov 01 06:43:15 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<aaron>, method=PLAIN, rip=110.234.127.52, lip=x.x.y.z
Nov 01 06:43:16 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<info>, method=PLAIN, rip=110.234.127.52, lip=x.x.y.z
Nov 01 06:43:17 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<help>, method=PLAIN, rip=110.234.127.52, lip=x.x.y.z
Nov 01 06:43:18 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<Administrator>, method=PLAIN, rip=110.234.127.52, lip=x.x.y.z
Nov 01 06:43:19 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<abby>, method=PLAIN, rip=110.234.127.52, lip=x.x.y.z


I tried this in regex.custom.pm, but no success


I tried this:

if (($config{LF_POP3D}) and ($lgfile eq $config{POP3D_LOG}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) pop3-login: (Aborted login|Disconnected)( \(auth failed, \d+ attempts\):)? (user=(<\S*>)?, )?method=\S+, rip=(\S+), lip=.*/)) {
$ip = $7; $acc = $6; $ip =~ s/^::ffff://; $acc =~ s/^<|>$//g;
if (&checkip($ip)) {return ("Failed POP3 login from","$ip|$acc","pop3d")} else {return}
}

CSF:
LF_TRIGGER = "0"
LF_TRIGGER_PERM = "3600"
LF_POP3D = "8"
LF_POP3D_PERM = "1"
POP3D_LOG = "/var/log/dovecot-info.log"



Where am I going wrong ?
I would really appreciate to get help from all the helpful souls out there.

Clemo
Last edited by wclemo on 25 May 2013, 15:48, edited 1 time in total.
wclemo
Junior Member
Posts: 3
Joined: 01 Nov 2012, 05:27

Re: Dovecot bruteforce not stopped !

Post by wclemo »

After failing to have csf regex block the dovecot bruteforcing I explored other options and managed to install and configure ossec which worked for me. It also has regex, and even includes a dovecot one, which was a bit easier to customise and have it work for me. To avoid duplications of functions (ossec has several of them which are similar to csf) I had to disable the ones I do not need. I must mention that I would not have preferred to use another filter which seems to duplicate what csf does, but ossec served my urgent purpose which was to stop those thousands of almost daily brute-force attempts.
wclemo
Junior Member
Posts: 3
Joined: 01 Nov 2012, 05:27

Re: Dovecot bruteforce not stopped !

Post by wclemo »

I have also realised that one can use Fail2ban to complement/____ CSF. In my test I installed Fail2ban and disabled all the monitored services. Then I defined a Dovecot entry and setup a Dovecot Regex that worked out of the box. Result is that Fail2ban is setup to only guard against Dovecot (POP3/IMAP) brute-forcing. CSF/Fail2ban works well without interfering with each other, as long as you ensure that similar filter services are not enabled on both software
srvrmanaged
Junior Member
Posts: 1
Joined: 11 Dec 2012, 21:03

Re: Dovecot bruteforce not stopped !

Post by srvrmanaged »

Hi wclemo
if you are on a Debian platform you must provide /var/log/mail.log in POP3D_LOG in order to block Dovecot attempts.
Cheers.
Post Reply