Update Dovecot signature for POP3

Create issue
Issue #22 resolved
Bruno Friedmann created an issue

Dovecot protection could be extented to also other services like pop3

Here's for example the failed login on dovecot for pop3

/* pop3-login: Aborted login (auth failed, 1 attempts in 7 secs): user=<muzas>, method=PLAIN, rip=5.101.157.80, lip=87.98.140.96, session=<Y8jIxw/97AAFZZ1Q> */

Should a line like the following enough

"pop3-login: Aborted login (auth failed, "{NUMBER}" attempts ".+" rip=" { BEGIN(dovecot_loginerr); return DOVECOT_IMAP_LOGINERR_PREF; }
+<dovecot_loginerr>", lip=".+                                    { BEGIN(INITIAL); return DOVECOT_IMAP_LOGINERR_SUFF; }

The problem I saw it is reusing the IMAP defs....

There's another point I would like to protect is the ldap login with dovecot

dovecot[5068]: auth: ldap(gast,82.147.195.250): invalid credentials

which is linked to postfix submission login

postfix/smtpd[9168]: warning: unknown[82.147.195.250]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

If I can certainly produce some patches, I would like to have so guidance on how you would like to rework the dovecot support.

Comments (5)

  1. Kevin Zheng

    Hi Bruno, sorry for the belated response. Writing attack signatures for SSHGuard is a bit clunky at the moment. I'm focusing on shipping the imminent 1.6.3 release, but when that's done I'll take a look at simplifying how signatures are written.

  2. Bruno Friedmann reporter

    I've created a patch for myself that allow picking up pop3 and imap (against 1.6.3 release)

    diff --git i/src/parser/attack_scanner.l w/src/parser/attack_scanner.l
    index fb6b9f5..38978d7 100644
    --- i/src/parser/attack_scanner.l
    +++ w/src/parser/attack_scanner.l
    @@ -44,7 +44,7 @@ static int getsyslogpid(char *syslogbanner, int length);
      /* for FTP services */
     %s freebsdftpd_loginerr  proftpd_loginerr  pureftpd_loginerr vsftpd_loginerr
    
    -
    +IMAPORPOP3  (imap|pop3)
     MONTH       (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)
     MONTHNO     0[0-9]|1[0-2]
     DAYNO       [0-9][0-9]?
    @@ -168,7 +168,7 @@ FACLEVEL    (<[a-zA-Z0-9]+\.[a-zA-Z0-9]+>)
     <sendmail_authfailure>"]".*                                     { BEGIN(INITIAL); return SENDMAIL_AUTHFAILURE_SUFF; }
    
      /* dovecot */
    -"imap-login: Aborted login (auth failed, "{NUMBER}" attempts): ".+" rip=" { BEGIN(dovecot_loginerr); return DOVECOT_IMAP_LOGINERR_PREF; }
    +{IMAPORPOP3}"-login: Aborted login (auth failed, "{NUMBER}" attempts): ".+" rip=" { BEGIN(dovecot_loginerr); return DOVECOT_IMAP_LOGINERR_PREF; }
     <dovecot_loginerr>", lip=".+                                        { BEGIN(INITIAL); return DOVECOT_IMAP_LOGINERR_SUFF; }
    
      /* UWimap login errors */
    diff --git i/src/sshguard.c w/src/sshguard.c
    index 01f6bc6..1445998 100644
    --- i/src/sshguard.c
    +++ w/src/sshguard.c
    @@ -39,7 +39,7 @@
     #include "sshguard_procauth.h"
     #include "sshguard_whitelist.h"
    
    -#define MAX_LOGLINE_LEN     1000
    +#define MAX_LOGLINE_LEN     2000
    
     /** Keep track of the exit signal received. */
     static volatile sig_atomic_t exit_sig = 0;
    

    About postfix, I've seen in the code it can be pick SASL error.

  3. Log in to comment