Home > Linux > Brute force attack Dovecot IMAP server – blocking IP with TCP wrappers

Brute force attack Dovecot IMAP server – blocking IP with TCP wrappers

Trying brute force login to Dovecot IMAP server is happenning, log is filling up ;(

Lets block it 😉

First, Dovecot must be compiled with option  –with-libwrap , either add it to .spec file if you using RPM, or wherever you need. This option let you setup Dovecot to use TCP wrappers for login authentication. And allowing you to block it. If you get error “Can’t build with libwrap support: tcpd.h not found” – install tcp_wrappers-devel package to your system.

Second, you must add few lines into dovecot.conf  – usually in /etc/dovecot (Im using Vpopmail/Qmail so group/user must be changed from default as per Wiki http://wiki2.dovecot.org/LoginProcess)

 

login_access_sockets = tcpwrap

service tcpwrap {
  unix_listener login/tcpwrap {
                 group = vchkpw
                 mode = 0600
                 user = vpopmail
                               }
                }

Third and last is to add attacker IP into /etc/hosts.deny file (replace IP 😉 )

imap: 10.0.0.1

And then you can test connection , results before blocking , should look similar to this:

[root@devel dovecot] telnet matrix 143
Trying 10.0.0.5...
Connected to matrix.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5] Welcome to IMAP server.
a--1 logout
* BYE Logging out
a--1 OK Logout completed.
Connection closed by foreign host.

and when you enable blocking in /etc/hosts.deny, it should be like:

[root@devel dovecot] telnet matrix 143
Trying 10.0.0.5...
Connected to matrix.
Escape character is '^]'.
Connection closed by foreign host.

 

thats it.
now, need figure out how to deamontools/dovecot add to denyhosts 😉

Categories: Linux Tags: , ,
  1. No comments yet.
  1. No trackbacks yet.

%d bloggers like this: