Is there any way to harden Dovecot against POP/IMAP denial of service attacks?

Question

Level 2

285 points

Is there any way to harden Dovecot against POP/IMAP denial of service attacks?

It doesn’t happen very often, but every so often a script kiddie on the Internet hits Dovecot's POP ports on our mail server hard enough to bring mail service to a crawl such that legit users can’t log in to retrieve their mail. I would say that with our 2.66GHz Intel Core 2 Duo Mac Mini Server, when we receive sustained POP login attacks that exceed ten logins per second, then eventually Dovecot gets swamped with so many requests that legit users are excluded. [Our server runs runs OS X Server 10.6.8-10K549, by the way, and Dovecot 1.1.2apple0.5 is installed as determined by running “dovecotd --version”. We keep the mail sever up to date with all available Apple software updates on a weekly basis, so we have the latest and greatest security updates.]

Here’s the problem: I’ve been studying the Dovecot 1.x Wiki at http://wiki1.dovecot.org/ and finding a number of parameters that *sort* of address this denial-of-service vulnerability, but none that appear to harden Dovecot in a similar fashion as ssh or sftp are hardened. By this, I mean that when ssh or sftp detect multiple login attempts originating from the same address above some threshold, then future login attempts are ignored for a solid fifteen minutes no matter what the login name was in the attempts. I’d like something similar for Dovecot.

I am aware of the “mail_max_userip_connections” setting which can be set independently for POP and IMAP service (see http://wiki1.dovecot.org/MainConfig?highlight=%28mail_max_userip_connections%29). This almost does what I want in that it indeed restricts the number of logins for a particular user coming from a single IP address. The problem is that the script kiddies typically scatter their attacks over hundreds of different login names and they may only attempt three or four logins per user name. What I really want is a parameter which starts to ignore logins no matter what the user name if too many come from a single IP address at the same time. Against this, I also need to balance my mail server restrictions to allow perhaps five or ten of my users with laptops to be behind a remote firewall, so all of their legit logins may hit my server perhaps three to ten at a time which could potentially look like an attack if my tuning parameter is set too low. What I’d really like to find is a tuning parameter that excludes concerted attacks without excluding my legitimate users. I also don’t want to invest in extremely expensive (>$10,000) “smart” firewalls that adaptively look for this type of attack, such as are offered by Netgear and other networking equipment manufacturers.

By examining /etc/dovecot/dovecot.conf on my mail server, it seems that Apple’s defaults are to set IMAP mail_max_userip_connections to 20, and for POP to leave the mail_max_userip_connections parameter commented out. Would there be any downside to enabling POP's mail_max_userip_connections to 20 as well? Offhand I can’t see how this would affect my users. Unfortunately, I also think that if I set the POP mail_max_userip_connections to 20 this won’t have any effect on the attackers since they typically won’t try 20 different passwords for the same login name in a given attack. I’ll post a segment of a log showing an actual attack that occurred today from the San Bernadino School District that I’ve since blocked in my network’s firewall, but it will illustrate the type of hard-core denial-of-service attack that I’m referring to. The login attempts were coming in fast, around forty-per-second, and my mail service went down in a matter of minutes as a result. [Yes: I will report this user… I haven’t gotten around to it yet with other issues.]

Any thoughts?

iMac 2.66GHz Intel Core 2 Duo, Mac OS X (10.6.7), 4GB RAM, SuperDrive, Airport, 8-core Xeon Xserve

Posted on Jan 13, 2012 4:21 PM

Reply

Answer 1

Bert Sierra Author

Level 2

285 points

Jan 13, 2012 4:51 PM in response to Bert Sierra

Here’s a ten second snippet from my mail server's log, showing how intense the login frequency was from the attacker, and also how (s)he was "scattering" the login names used which I suspect would be quite hard to filter out using POP's mail_max_userip_connections parameter. The attack lasted from 1:43:39 through a server restart at 1:50:18, and even about a minute later. The attack stopped at 1:51:36 before I was able to add a firewalling rule to my router or to exclude logins from the 163.150/16 subnet from my router [FYI — that's the San Bernadino Country School District, according to http://whois.arin.net/rest/net/NET-163-150-0-0-1/pft ].

Any thoughts on how to block this type of POP attack in Dovecot?

[FYI — I changed my actual server name to 'myserver' and the actual admin name to 'Administrator'.]

Jan 13 13:43:39 myserver dovecot[72]: auth(default): od(root,163.150.246.27): user account: root not enabled for mail

Jan 13 13:43:39 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user

Jan 13 13:43:39 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin

Jan 13 13:43:39 myserver dovecot[72]: auth(default): od(webmaster,163.150.246.27): Credentials could not be verified username or password is invalid.

Jan 13 13:43:39 myserver dovecot[72]: auth(default): od[getpwnam_ext](user,163.150.246.27): No record for user

Jan 13 13:43:39 myserver dovecot[72]: auth(default): od(user,163.150.246.27): lookup failed for user: user

Jan 13 13:43:39 myserver dovecot[72]: auth(default): od[getpwnam_ext](test,163.150.246.27): No record for user

Jan 13 13:43:39 myserver dovecot[72]: auth(default): od(test,163.150.246.27): lookup failed for user: test

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](web,163.150.246.27): No record for user

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(web,163.150.246.27): lookup failed for user: web

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(www,163.150.246.27): user account: _www not enabled for mail

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(administrator,163.150.246.27): user account: Administrator not enabled for mail

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle,163.150.246.27): No record for user

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(oracle,163.150.246.27): lookup failed for user: oracle

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(root,163.150.246.27): user account: root not enabled for mail

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](sybase,163.150.246.27): No record for user

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(sybase,163.150.246.27): lookup failed for user: sybase

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](informix,163.150.246.27): No record for user

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(informix,163.150.246.27): lookup failed for user: informix

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(root,163.150.246.27): user account: root not enabled for mail

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(webmaster,163.150.246.27): Credentials could not be verified username or password is invalid.

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle8,163.150.246.27): No record for user

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(oracle8,163.150.246.27): lookup failed for user: oracle8

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(backup,163.150.246.27): user account: backup not enabled for mail

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(root,163.150.246.27): user account: root not enabled for mail

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(webmaster,163.150.246.27): Credentials could not be verified username or password is invalid.

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](lizdy,163.150.246.27): No record for user

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(lizdy,163.150.246.27): lookup failed for user: lizdy

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](test,163.150.246.27): No record for user

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(test,163.150.246.27): lookup failed for user: test

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](user,163.150.246.27): No record for user

Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(user,163.150.246.27): lookup failed for user: user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](web,163.150.246.27): No record for user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(web,163.150.246.27): lookup failed for user: web

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(www,163.150.246.27): user account: _www not enabled for mail

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](server,163.150.246.27): No record for user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(server,163.150.246.27): lookup failed for user: server

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](test,163.150.246.27): No record for user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(test,163.150.246.27): lookup failed for user: test

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](data,163.150.246.27): No record for user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(data,163.150.246.27): lookup failed for user: data

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(administrator,163.150.246.27): user account: Administrator not enabled for mail

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](web,163.150.246.27): No record for user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(web,163.150.246.27): lookup failed for user: web

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(webmaster,163.150.246.27): Credentials could not be verified username or password is invalid.

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](user,163.150.246.27): No record for user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(user,163.150.246.27): lookup failed for user: user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](account,163.150.246.27): No record for user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(account,163.150.246.27): lookup failed for user: account

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(www,163.150.246.27): user account: _www not enabled for mail

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle,163.150.246.27): No record for user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(oracle,163.150.246.27): lookup failed for user: oracle

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](sybase,163.150.246.27): No record for user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(sybase,163.150.246.27): lookup failed for user: sybase

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](test,163.150.246.27): No record for user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(test,163.150.246.27): lookup failed for user: test

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](access,163.150.246.27): No record for user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(access,163.150.246.27): lookup failed for user: access

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(administrator,163.150.246.27): user account: Administrator not enabled for mail

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](web,163.150.246.27): No record for user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(web,163.150.246.27): lookup failed for user: web

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](pwrchute,163.150.246.27): No record for user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(pwrchute,163.150.246.27): lookup failed for user: pwrchute

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle,163.150.246.27): No record for user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(oracle,163.150.246.27): lookup failed for user: oracle

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](informix,163.150.246.27): No record for user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(informix,163.150.246.27): lookup failed for user: informix

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(www,163.150.246.27): user account: _www not enabled for mail

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](sybase,163.150.246.27): No record for user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(sybase,163.150.246.27): lookup failed for user: sybase

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle8,163.150.246.27): No record for user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(oracle8,163.150.246.27): lookup failed for user: oracle8

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(administrator,163.150.246.27): user account: Administrator not enabled for mail

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](informix,163.150.246.27): No record for user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(informix,163.150.246.27): lookup failed for user: informix

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](test,163.150.246.27): No record for user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(test,163.150.246.27): lookup failed for user: test

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(backup,163.150.246.27): user account: backup not enabled for mail

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](user,163.150.246.27): No record for user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(user,163.150.246.27): lookup failed for user: user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(webmaster,163.150.246.27): Credentials could not be verified username or password is invalid.

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(root,163.150.246.27): user account: root not enabled for mail

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle,163.150.246.27): No record for user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(oracle,163.150.246.27): lookup failed for user: oracle

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](lizdy,163.150.246.27): No record for user

Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(lizdy,163.150.246.27): lookup failed for user: lizdy