Index: [Article Count Order] [Thread]

Date:  Wed, 7 May 2008 14:37:52 -0700
From:  "Ken Marcus - Precision Web Hosting, Inc." <kenmarcus (at mark) precisionweb.net>
Subject:  [coba-e:12749] Re: [testing] dovecot udpate
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <75a501c8b08a$9c44d030$6601a8c0@OfficeKen>
References:  <327DE0A0-4C10-47A0-B6F7-71D79103911B (at mark) alpha.or.jp> <5fa041b20805060033t6b2551e6l46f710fc664f9943 (at mark) mail.gmail.com> <1d4c951a0805060646t2f5824eal999403f55697c73b (at mark) mail.gmail.com> <7A304A11-98EE-49B3-AB64-2D64109BF7F1 (at mark) alpha.or.jp> <033501c8b041$da2c2c70$6400a8c0 (at mark) HPPAVILION> <450AA6B0-4436-492D-BDEF-4D35ACE43CD5 (at mark) alpha.or.jp> <7853B509BA765D40B8DACAEA2F64B2A4023890F9 (at mark) es005.gramtel.office>
X-Mail-Count: 12749


----- Original Message ----- 
From: "Rusty Waybrant" <RWaybrant (at mark) gramtel.net>
To: <coba-e (at mark) bluequartz.org>
Sent: Wednesday, May 07, 2008 1:27 PM
Subject: [coba-e:12747] Re: [testing] dovecot udpate


>
>>> First, let me say thank you for all you do.
>>>
>>> Second, let me ask a question: is converting BQ from PAM to flat
> files
>>> going backwards?  It doesn't appear to be a step forward, but a step
>>> backward.
>>> Shudder the word, but has anyone looked at Zeffie's recommendation to
>
>>> see if it had any value before moving backwards?
>>
>>Changing flat file from pwdb will be performance down.
>>On some point, changing flat file means to be a step back.
>>
>>I read Zeffie's post as coba-e:12183 again.
>>If it is true, and the pwdb isn't the cause of the issue with dovecot.
>>That issue is cause of dovecot pwdb implementation, we don't need to
> change back to flat file.
> <...>
>>
>>Any comment?
>>
>>Regards,
>>Hisao
>
> I've been playing around with the "login_max_processes_count" option in
> dovecot.conf, and while it seems to work great preventing issues when
> there is a dictionary-attack against POP3, it obviously had no affect on
> a recent FTP dictionary-attack... pwdb still flaked out, and you would
> have to login with root (since root is in shadow vs pwdb) to manually
> fix or wait for sometime after the attack has stopped (time enough for
> db_recover to do its thing).
>
> I see shadow vs pwdb as a step back also, but would be a step towards
> stability and reliability.
>
> I know BQ made the change from vsftpd to proftpd, so does proftpd have a
> similar config setting as dovecot that may reduce issues with pwdb
> during dictionary attacks? But, is this a bad direction to head; tuning
> the individual services instead of replacing the underlying
> authentication mechanism?
>
> Rusty
>


As far as FTP and SSH dictionary attacks, it is easy to prevent them.

# 1. install the apf firewall

####################################################################

cd ~admin

wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

tar xzvpf apf-current.tar.gz

cd apf-0.9.6-3

./install.sh



#each of the 3 lines below starts with perl -p -i -e

perl -p -i -e 
's/IG_TCP_CPORTS=\"22\"/IG_TCP_CPORTS=\"21,22,23,25,53,80,110,143,443,81,444,465,587,783,873,993,995,5100,60000_60019\" 
/g' /etc/apf/conf.apf

perl -p -i -e 's/IG_UDP_CPORTS=\"\"/IG_UDP_CPORTS=\"53,60000_60019\"/g' 
/etc/apf/conf.apf

perl -p -i -e 's/^DEVEL_MODE=\"1\"/DEVEL_MODE=\"0\"/g' /etc/apf/conf.apf



/etc/rc.d/init.d/apf restart

####################################################################

#2.  install the bfd brute force detection

#BFD # http://www.webhostgear.com/60.html

####################################################################

cd ~admin

wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

tar -xvzf bfd-current.tar.gz

cd bfd-0.9

./install.sh

wget precisionweb.net/frank/conf.bfd

mv conf.bfd /usr/local/bfd/conf.bfd

#look through the   /usr/local/bfd/conf.bfd   and modify as necessary

#echo "209.216.51.62" >> /usr/local/bfd/ignore.hosts

wget http://www.r-fx.ca/downloads/sshd

mv -f sshd /usr/local/bfd/rules/

# changed below stops anonymous logins from blocking people

perl -p -i -e 's/grep -w proftpd/grep -w proftpd \| grep -v anonymous/g' 
/usr/local/bfd/rules/proftpd

####################################################################







----

Ken Marcus

Ecommerce Web Hosting by

Precision Web Hosting, Inc.

http://www.precisionweb.net