----- Original Message -----
From: "Ken Marcus - Precision Web Hosting, Inc."
<kenmarcus (at mark) precisionweb.net>
To: <coba-e (at mark) bluequartz.org>
Sent: Wednesday, May 07, 2008 2:37 PM
Subject: Re: [coba-e:12747] Re: [testing] dovecot udpate
>
> ----- Original Message -----
> From: "Rusty Waybrant" <RWaybrant (at mark) gramtel.net>
> To: <coba-e (at mark) bluequartz.org>
> Sent: Wednesday, May 07, 2008 1:27 PM
> Subject: [coba-e:12747] Re: [testing] dovecot udpate
>
>
>>
>>>> First, let me say thank you for all you do.
>>>>
>>>> Second, let me ask a question: is converting BQ from PAM to flat
>> files
>>>> going backwards? It doesn't appear to be a step forward, but a step
>>>> backward.
>>>> Shudder the word, but has anyone looked at Zeffie's recommendation to
>>
>>>> see if it had any value before moving backwards?
>>>
>>>Changing flat file from pwdb will be performance down.
>>>On some point, changing flat file means to be a step back.
>>>
>>>I read Zeffie's post as coba-e:12183 again.
>>>If it is true, and the pwdb isn't the cause of the issue with dovecot.
>>>That issue is cause of dovecot pwdb implementation, we don't need to
>> change back to flat file.
>> <...>
>>>
>>>Any comment?
>>>
>>>Regards,
>>>Hisao
>>
>> I've been playing around with the "login_max_processes_count" option in
>> dovecot.conf, and while it seems to work great preventing issues when
>> there is a dictionary-attack against POP3, it obviously had no affect on
>> a recent FTP dictionary-attack... pwdb still flaked out, and you would
>> have to login with root (since root is in shadow vs pwdb) to manually
>> fix or wait for sometime after the attack has stopped (time enough for
>> db_recover to do its thing).
>>
>> I see shadow vs pwdb as a step back also, but would be a step towards
>> stability and reliability.
>>
>> I know BQ made the change from vsftpd to proftpd, so does proftpd have a
>> similar config setting as dovecot that may reduce issues with pwdb
>> during dictionary attacks? But, is this a bad direction to head; tuning
>> the individual services instead of replacing the underlying
>> authentication mechanism?
>>
>> Rusty
>>
>
>
> As far as FTP and SSH dictionary attacks, it is easy to prevent them.
>
> # 1. install the apf firewall
>
> ####################################################################
>
> cd ~admin
>
> wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
>
> tar xzvpf apf-current.tar.gz
>
> cd apf-0.9.6-3
>
> ./install.sh
>
>
>
> #each of the 3 lines below starts with perl -p -i -e
>
> perl -p -i -e
> 's/IG_TCP_CPORTS=\"22\"/IG_TCP_CPORTS=\"21,22,23,25,53,80,110,143,443,81,444,465,587,783,873,993,995,5100,60000_60019\"
> /g' /etc/apf/conf.apf
>
> perl -p -i -e 's/IG_UDP_CPORTS=\"\"/IG_UDP_CPORTS=\"53,60000_60019\"/g'
> /etc/apf/conf.apf
>
> perl -p -i -e 's/^DEVEL_MODE=\"1\"/DEVEL_MODE=\"0\"/g' /etc/apf/conf.apf
>
>
>
> /etc/rc.d/init.d/apf restart
>
> ####################################################################
>
> #2. install the bfd brute force detection
>
> #BFD # http://www.webhostgear.com/60.html
>
> ####################################################################
>
> cd ~admin
>
> wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
>
> tar -xvzf bfd-current.tar.gz
>
> cd bfd-0.9
>
> ./install.sh
>
> wget precisionweb.net/frank/conf.bfd
>
> mv conf.bfd /usr/local/bfd/conf.bfd
>
> #look through the /usr/local/bfd/conf.bfd and modify as necessary
>
> #echo "209.216.51.62" >> /usr/local/bfd/ignore.hosts
>
> wget http://www.r-fx.ca/downloads/sshd
>
> mv -f sshd /usr/local/bfd/rules/
>
> # changed below stops anonymous logins from blocking people
>
> perl -p -i -e 's/grep -w proftpd/grep -w proftpd \| grep -v anonymous/g'
> /usr/local/bfd/rules/proftpd
>
> ####################################################################
>
One note: do not install the APF on Strongbolt servers with the latest
2.6.20.1i686 kernel.
It will not work.
----
Ken Marcus
Ecommerce Web Hosting by
Precision Web Hosting, Inc.
http://www.precisionweb.net