For wrong auth , how to block IP or introduce delay for sender in real time ?

Jayesh Shinde jayesh.shinde at netcore.co.in
Sat Oct 17 07:39:31 EDT 2015


Hi Marcus ,


On 10/17/2015 04:33 PM, Marcus Schopen wrote:
> Hi Jayesh ,
>
> Am Samstag, den 17.10.2015, 13:06 +0530 schrieb Jayesh Shinde:
>> Hello all  ,
>>
>> I am having mailserver with centos 6.3 + cyrus-imad + postfix + ldap
>> We are using cyrus-sasl-2.1.23-13.el6.x86_64  with 'PAM' Mechanism .
>>
>> Many spammer are trying to hack password for doing many authentication
>> with pop3 + imap + smtp  services.
>> on server Fail2ban hass been  added , but its blocking hacker IPs
>> after certain interval  and not in real time.  Which is the actual
>> issue.
>>
>> I am looking for some real-time blocking where that particular
>> spammer IP + email id must get block  .
> I'm using fail2ban too and I don't understand what you mean by "real
> time". In my configuration the ban is set immediately after three failed
> logins (no delay) and for more extended banning of persistent abusers I
> use the recidive filter.
>
I think I am missing something with fail2ban.
I am looking for immediate source IP blocking after 3 wrong attempt  for 
this for pop / imap  / smtp login failure.

Can you please share your correct configuration. That will help me to 
understand the regex part matching.

What is your suggestion for below 3 points.
>> I believe this issue is very common with other too ,  is there any
>> option in 'saslauthd'  /  postfix  / cyrus-imapd for below
>> requirement ?
>>
>> 1)  If server receive the wrong password , then is it possible to
>> introduce the delay of say 5-10 seconds to sender client ? So that
>> spammer will do less attempt ?
>> 2)  After given wrong password attempt more than 3 time , the
>> particular "IP + email id" must get block for next 5-10 min.
>> And then need to unblock after  that.
>> 3) I check PAM-ABL , but its not working for 'saslauthd'' with pop /
>> imap / smtp . Because I came to know that 'saslauthd'' is not getting
>> IP of source .
>> How to pass  source IP to "saslauthd''  along with email id , password
>> and relam .  Is there any patch available for this ?
>>
> Ciao!
>
>
>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20151017/c68e1607/attachment.html 


More information about the Cyrus-sasl mailing list