[Dovecot] Brute Force Blocking?
Benjamin R. Haskell
dovecot at benizi.com
Thu Dec 20 22:51:02 EET 2007
On Thu, 20 Dec 2007, Ben Cadieux wrote:
> Hi Everyone,
> Before I begin, I'd just like to mention: I love dovecot. Thank you :)
> Anyway, today I had 8000 login attempts to my dovecot server in an
> hour before blocking the IP with my firewall.
> After googling, I didn't see very much discussion on the topic. There
> was some mention of blocksshd which was supposed to support dovecot in
> the next release (but doesn't appear to) and also fail2ban. While a
> script that parses logfiles will work, I'm not sure that this is the
> best way to go about handling repeated authentication failure.
> Would it not be best built into dovecot? [...]
I'd vote "no", with the caveat that I don't use any of these tools.
Parsing logfiles might make it more brittle, but it also allows the tool
to protect many services in a generic way. I don't want to have to protect
against DOS or dictionary attacks for Apache, VSFTP, dovecot, sshd,
PostgreSQL, and whatever else in different config files. It'd be best to
handle that one layer up. Doing it outside of dovecot even allows
correlations to be made (e.g. ban sooner if the same IP is trying to
break both SSH and FTP). Don't know if the tools *do* this, but still.
That's my 2¢,
More information about the dovecot