BFD custom rules for Dovecot

On all of our servers we recommend a combination of APF and BFD, the first is needed for the 2nd. Now generally bfd does a good job of blocking attacks on ssh, ftp and mail accounts however recently we have had a different approach to attacks that involve simply trawling for user names that respond through dovecot.

How BFD normally works
Most of the standard rules in BFD rely on the fact that the connection attempts to access a service through a password and after a pre set number of “Failed” messages they get blocked. Simple and effective and stops brute force attacks.

What is happening this time.
This time the attack only seems to care about gather information on log in names and therefore email addresses (all these attacks were on port 110). This meant that the request never got to the password so there never was a failed message in the logs and then the connection eventually times out.

What this meant for the server
Because the connection was made with a username the system created the connection and then waited for more information, eventually this would time out and close the connection. However in the meantime the attack had moved onto another username and another connection until it gets to the max limit and no legitimate connections can be made!

What we did
It turns out that Piotr had come across this issue some time ago and had found a nice custom rule for dovecot which I was able to steal and add to the newly affected servers.

To add a custom rule to BFD simply follow these steps (with the files and file names modified for your own purposes)

Create a file in the following folder for editing


In this case I called the file dovecot

Here is the format of a BFD rule

if [ -f "$REQ" ]; then

## pop3
ARG_VAL=`$TLOGP $LP $TLOG_TF | grep dovecot | grep pop3-login |grep -Ewi “aborted|failed” | awk ‘{print $11}’ | grep -o -E ‘[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+’`

Once saved this file will be picked up and the reg ex rule appied against the log file specified

Important lines in the code
REQ is what daemon you are checking against, if its not running then the check won’t run.
LP is the log that you will use for the error
TRIG is the limit at which an IP address will get blocked

After this its all about modifiying the ARG_VAL to do what you need and this might require testing.

How to spot this attack
So if you think this is happening to you, this is what to check for.

Processes – if there are 100+ pop3 or IMAP connections, and you can see this with something like

ps auxw | grep pop3 | wc -l.

Logs – check /var/log/maillog for thousands of “connection aborted” messages to view them you can try

grep -i aborted /var/log/maillog

and to count them

grep -i aborted /var/log/maillog | wc -l

And these show up you need to firewall the IP that they are coming from and then add the rule above to prevent it again.

This entry was posted in Managed Hosting. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>