Automatic blocking of failed POP and IMAP attempts on my mailserver
#173 Henry, Sunday, 29 July 2012 12:59 PM (Category: Network)
(Tags: linode fail2ban iptables)

I have been trying to make my Linode system even more secure. I wanted to implement fail2ban for POP and IMAP, as those two are getting the most attacks made. IMAP is fine, the logs of failed attempts go to /var/log/messages and include the IP address. I could do IMAP easily. But it gets a tiny fraction of attempts compared to POP. POP is the problem. Notice of a failed attempt goes to /var/log/messages, but without an IP address. Notice of an attempt with the IP address goes to /var/log/secure. Two different files, and the only link between them is the date and time.

I looked at the code for popa3d, hoping to include the IP address in the failure log. Not a good thing to do. Updates would erase my work.

I looked at changing the log file that popa3d logs would go to. I really do not like the syslog system. That was a failure for me.

I looked at replacing popa3d and imapd with Dovecot. I installed Dovecot on one of my systems and attempted to configure it. I now have enormous respect for the packagers of Linux distributions. Getting some of these packages working is a difficult feat. Dovecot will handle an enormous range of security measures, and describes them in full. But getting the simplest possible system working was not well described and I was unable to configure it adequately. I could not make it access /etc/passwd and /etc/shadow. Incorrect permissions. I admit the failure was mine. Dovecot appears to be a wonderful system, I am just incapable of understanding how to make it work on my system.

So after spending a lot of time on all this stuff, and learning a lot of things, I resigned myself to accepting the inevitable and writing my own security system like fail2ban. It took me two hours. It works. I read through /var/log/messages and get a list of POP and IMAP failures. IMAP failures have the IP address included, so if those IP addresses have too many failed attempts in too short a time, I ban them immediately with iptables. I store the time of the POP failures, then read through /var/log/secure and find the IP addresses that match the times, count them, and if they exceed threshholds, I ban them immediately with iptables. I tested it using old attempts, and it works fine. I get an alert that an IP address has been banned. They get added to my iptables blacklist as well, so if the system is rebooted, they stay banned. I also note date time and reason, so I can remove them later if I feel generous.

Sometimes you have to accept what you have, and work with it. I accepted the strangeness of the POP logs, and worked with it. The customised approach is one I can live with.

So I put this live, and immediately felt a lot happier and more secure. But what happened then? The Olympics started, and not one single person has attempted an attack. I've been getting daily attacks since I started with Linode, and suddenly the Olympics and no attacks. That's pretty funny.