BFD + Dovecot

A

aquila

Verified User
Joined
Jul 2, 2007
Messages
63
Hi,

I'm on custombuild. I've recently switched over to Dovecot and now I keep getting a lot of brute force attacks on dovecot. Since I also have BFD installed, I think I can still prevent this brute force? Can someone help me with a BSD rule for dovecot please?

Thanks in advance
 
Hey, I was searching for the same and came across this URL

http://bluequartz.org/ml/archive/coba-e/12600/12695.html

But looks like that the script has to be changed as

awk '{print$14}' - is not the right parameter

so it has to be changed to

awk '{print$20}'

I hope someone else can confirm and verify this.

I have created a new rule file under /usr/local/bfd/rules

#cd /usr/local/bfd/rules
#vi dovecot
REQ="/usr/sbin/dovecot"
if [ -f "$REQ" ]; then
LP="/var/log/maillog"
TLOG_TF="pop3"
TRIG="10"

## pop3
ARG_VAL=`$TLOGP $LP $TLOG_TF | grep pop | grep -w "user=" | grep -iwf $PATTERN_FILE | tr '[]=' ' ' | tr -d '()' | awk '{print$20}' | grep -o -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+'`
fi


Hope this is right

Thanks
 
Hey Rohit,

Sorry to get back so late. I tried your rule and it din't work. I figured out that I had to change a little. So here is mine:

REQ="/usr/sbin/dovecot"
if [ -f "$REQ" ]; then
LP="/var/log/maillog"
TLOG_TF="pop3"
TRIG="10"

## pop3
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep pop | grep -w "user=" | grep -iwf $PATTERN_FILE | tr '[]=' ' ' | tr -d '()' | awk '{print$20}' | grep -o -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+'`
fi

Now, when i run bfd -s i get the following errors. Any ideas?

# bfd -s
BFD version 1.2 <[email protected]>
Copyright (C) 1999-2008, R-fx Networks <[email protected]>
Copyright (C) 2008, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL

grep: option requires an argument -- f
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.

Thanks in advance.
 
Same problem here.
I can't find any other dovecot rules on the net, let's hope someone can fix this error for us.
 
Working Dovecot bfd script

Here is the script that I use. It will catch several different types of Dovecot log in failures. Such as aborted logins, unknown users and failed password attempts. Keep this in mind when a user calls to say they can not connect to email anymore. Don't set the trigger below 10. Here is the dovecot script.

=-=-=-=-=-=cuthere=-=-=-=-=-=-=-=
REQ="/usr/sbin/dovecot"
if [ -f "$REQ" ]; then
LP="/var/log/maillog"
TLOG_TF="pop3"
TRIG="10"

## pop3
ARG_VAL=`$TLOGP $LP $TLOG_TF |grep dovecot |grep -w "failed" |grep auth |grep -o -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+'`
fi
=-=-=-=-=-=cuthere=-=-=-=-=-=-=-=


John Faubion
Integrated Voice Systems
 
This works for me....

I finally decided to hack and hack and hack you guy's code to make it work. Here it is working..... Enjoy

REQ="/usr/sbin/dovecot"
if [ -f "$REQ" ]; then
LP="/var/log/maillog"
TLOG_TF="pop3"
TRIG="10"

## pop3
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF |grep "Disconnected" | grep "auth failed" | grep "Shutting" | tr '[]=' ' ' | tr -d '()' | awk '{pri
nt$19}' | grep -o -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+'`
fi
 
hi

i've tried the last two ways above of trying to get bfd to work with dovecot but it still doesn't seem to work, has anyone else got a way i can try?

thanks in advance
 
It should work already if you are using CSF/LFD instead of APF/BFD :)
CSF supporting
# Log files
HTACCESS_LOG = "/var/log/httpd/error_log"
MODSEC_LOG = "/var/log/httpd/error_log"
SSHD_LOG = "/var/log/secure"
SU_LOG = "/var/log/secure"
FTPD_LOG = "/var/log/messages"
SMTPAUTH_LOG = "/var/log/secure"
POP3D_LOG = "/var/log/maillog"
IMAPD_LOG = "/var/log/maillog"
IPTABLES_LOG = "/var/log/messages"
SUHOSIN_LOG = "/var/log/messages"
SMTPRELAY_LOG = "/var/log/exim/mainlog"
BIND_LOG = "/var/log/messages"
Click to expand...
 
Bfd + apf

Install the 1.4 version of bfd and when I run I get the following errors. Someone can help me

BFD version 1.4 <[email protected]>
Copyright (C) 1999-2010, R-fx Networks <[email protected]>
Copyright (C) 2010, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL

Jul 21 18:31:12 front1 bfd(27037): processing rule file apache
Jul 21 18:31:12 front1 bfd(27037): processing rule file dovecot
/usr/local/bfd/rules/dovecot: line 10: syntax error near unexpected token `fi'
/usr/local/bfd/rules/dovecot: line 10: `fi'
Jul 21 18:31:12 front1 bfd(27037): processing rule file exim
/usr/local/bfd/rules/exim: line 11: /var/log/exim/mainlog: Permission denied
Jul 21 18:31:12 front1 bfd(27037): processing rule file proftpd
/usr/local/bfd/rules/proftpd: line 8: /var/log/secure: Permission denied
grep: option requires an argument -- f
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
Jul 21 18:31:12 front1 bfd(27037): processing rule file rh_imap
/usr/local/bfd/rules/rh_imap: line 8: /var/log/messages: Permission denied
grep: option requires an argument -- f
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
/usr/local/bfd/rules/rh_imap: line 9: /var/log/messages: Permission denied
grep: option requires an argument -- f
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
/usr/local/bfd/rules/rh_imap: line 10: /var/log/messages: Permission denied
grep: option requires an argument -- f
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
Jul 21 18:31:12 front1 bfd(27037): processing rule file rh_pop3
/usr/local/bfd/rules/rh_pop3: line 8: /var/log/maillog: Permission denied
grep: option requires an argument -- f
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
Jul 21 18:31:13 front1 bfd(27037): processing rule file sendmail
Jul 21 18:31:13 front1 bfd(27037): processing rule file sshd
/usr/local/bfd/rules/sshd: line 9: /var/log/secure: Permission denied
/usr/local/bfd/rules/sshd: line 10: /var/log/secure: Permission denied
/usr/local/bfd/rules/sshd: line 11: /var/log/secure: Permission denied

thanks
 
You must log in or register to reply here.
Back
Top