Index: [Article Count Order] [Thread]

Date:  Thu, 8 May 2008 10:08:22 -0400
From:  "Rusty Waybrant" <RWaybrant (at mark) gramtel.net>
Subject:  [coba-e:12763] Re: [testing] dovecot udpate
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <7853B509BA765D40B8DACAEA2F64B2A402389179 (at mark) es005.gramtel.office>
In-Reply-To:  <4822C171.9080300 (at mark) dogsbody.org>
References:  <75b701c8b08b$8a63acf0$6601a8c0 (at mark) OfficeKen> <4822C171.9080300 (at mark) dogsbody.org>
X-Mail-Count: 12763



>>>> I've been playing around with the "login_max_processes_count"
option 
>>>> in dovecot.conf, and while it seems to work great preventing issues

>>>> when there is a dictionary-attack against POP3, it obviously had no

>>>> affect on a recent FTP dictionary-attack... pwdb still flaked out, 
>>>> and you would have to login with root (since root is in shadow vs 
>>>> pwdb) to manually fix or wait for sometime after the attack has 
>>>> stopped (time enough for db_recover to do its thing).
>>>
>>> As far as FTP and SSH dictionary attacks, it is easy to prevent
them.
>>> # 1. install the apf firewall
>>> #2.  install the bfd brute force detection
>
>I'm of the same view that dictionary attacks should not affect any
system that has a proper firewall.  I just 
>use an iptables recipe that I came up with on all my machines and have
never had a single problem with the 
>issues discussed here!
>
>Why can't we install a proper firewall with BQ?  We already setup
iptables as a packet counter so it wouldn't be >any more work than
updating a few files... although I guess we would need to build a GUI
around it.
>
>Just my 0.02 GBP
>
>Dan

I agree, a good firewall with GUI would be great, and the best way to
prevent pwdb issues from dictionary attacks (against POP3 and FTP)... 

However, this is just one possible way to see the flaky pwdb issues...
Get a server with 1000+ users checking their email once every minute,
and pwdb still crumbles. Here, the login_max_processes_count seem to
resolve most of the issues, but not all, and still have to routinely
visit the server to clear things up. Obviously, any firewall shouldn't
restrict this, as these are just 'power' users getting their email. I
can only assume that a similar power FTP user setup could see similar
issues, but I cannot speak from experience as I only see light FTP
usage. 

Rusty