On Fri, 13 Feb 2009, Alain Williams wrote: > From: Alain Williams <addw@xxxxxxxxxxxx> > To: Cyrus Mailing List <info-cyrus@xxxxxxxxxxxxxxxxxxxx> > Date: Fri, 13 Feb 2009 15:30:46 +0000 > Subject: Re: Security risk of POP3 & IMAP protocols ... > > Yes. Anything that opens a bunch of mailboxes at the same time > > might be doing way more than that. You should be measuring > > "failed attempts", not "attempts". > > Yes, but I do the rate limiting with iptables (Linux firewall). I > don't know how to feedback failed attempts to iptables. There are probably several ways to do this. But, as a suggestion, have a look at sshblack from: http://www.pettingers.org/code/sshblack.html It's intended for use against ssh brute-force attempts. However it's a perl script runnning tail on a log looking for suspicious activity. So should be easily adaptable for other purposes, along with the iptables scripts included. I expect the only wrinkle with IMAP is that you'll want to block both port 143 and 993. I fire up a small IMAP server with: CYRUS_VERBOSE=1 ... and keep the logs separate. Failed login attempts show up in the logs as lines of the form: Feb 13 15:42:25 bahamontes imap[10596]: badlogin: hinault.bath.ac.uk [138.38.56.28] PLAIN [SASL(-13): authentication failure: Password verification failed] so it should be easy for a perl script to pick out the badly-behaved client. As others have pointed out, webmail servers are a particular pain. You'll probably need to whitelist your own webmail servers. Otherwise the external blackhats will be able to persuade your IMAP server to deny access to your webmail server(s). A neat DOS attack *and* lots of unhappy customers! You should also consider how you'd harden up your webmail servers against brute force attacks. Not sure how you'd do that as many, if not all webmail servers, rely on the IMAP server to validate the connection. Usual disclaimer: I've never tried doing this myself. This advice is worth what you paid for it. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK D.H.Davis@xxxxxxxxxx Phone: +44 1225 386101 ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
