For wrong auth , how to block IP or introduce delay for sender in real time ?

Marcus Schopen lists at localguru.de
Sat Oct 17 12:38:02 EDT 2015


Hi Jayesh,

Am Samstag, den 17.10.2015, 17:09 +0530 schrieb Jayesh Shinde:
[...]
> I think I am missing something with fail2ban.  
> I am looking for immediate source IP blocking after 3 wrong attempt
> for this for pop / imap  / smtp login failure. 
> 
> Can you please share your correct configuration. That will help me to
> understand the regex part matching.

I'm using perdition in front of the cyrus I've testet the banning with
today, so the regex is different.

>From another maschine cyrus with no proxy in front I've attached the
filter based on 

https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/cyrus-imap.conf

Check your logs and change the filter to your needs.


> What is your suggestion for below 3 points. 
> > > I believe this issue is very common with other too ,  is there any
> > > option in 'saslauthd'  /  postfix  / cyrus-imapd for below
> > > requirement ? 
> > > 
> > > 1)  If server receive the wrong password , then is it possible to
> > > introduce the delay of say 5-10 seconds to sender client ? So that
> > > spammer will do less attempt ?

Don't know if a kind of throttling is build in, may be third party
products. fail2ban is sufficient for my needs.

> > > 2)  After given wrong password attempt more than 3 time , the
> > > particular "IP + email id" must get block for next 5-10 min. 
> > > And then need to unblock after  that.

This is what fail2ban does. After three bans I do ban the IP for a week
(recidive filter).

> > > 3) I check PAM-ABL , but its not working for 'saslauthd'' with pop /
> > > imap / smtp . Because I came to know that 'saslauthd'' is not getting
> > > IP of source .  
> > > How to pass  source IP to "saslauthd''  along with email id , password
> > > and relam .  Is there any patch available for this ? 

Ciao!
> 

-------------- next part --------------
jail.conf:

[cyrusauth]

enabled  = true
port     = imap2,imaps,pop3,pop3s
filter   = cyrus-imap
logpath  = /var/log/mail.log
maxretry = 8
bantime  = 3600



cyrus-imap.conf:

# Fail2Ban configuration file
#
# Author: Jan Wagner <waja at cyconet.org>
#
# $Revision$
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = : badlogin: .*\[<HOST>\] plaintext .* SASL\(-13\): authentication failure: checkpass failed$
	    : badlogin: .*\[<HOST>\] plaintext .* SASL\(-13\): user not found: checkpass failed$
	    : badlogin: .*\[<HOST>\] LOGIN \[SASL\(-13\): authentication failure: checkpass failed\]$
	    : badlogin: .*\[<HOST>\] (?:CRAM-MD5|NTLM) \[SASL\(-13\): authentication failure: incorrect (?:digest|NTLM) response\]$
	    : badlogin: .*\[<HOST>\] DIGEST-MD5 \[SASL\(-13\): authentication failure: client response doesn't match what we generated\]$
	    : badlogin: .*\[<HOST>\] plaintext .* invalid user$
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 



More information about the Cyrus-sasl mailing list