[Dovecot] limiting number of incorrect logins per connection

Alex alex at ahhyes.net
Fri Aug 26 12:14:34 EEST 2011

 I am happy to recompile if there is no config option. I gather it's in 
 the src/auth dir somewhere in one of the C source files. Just need to be 
 pointed in the right dir.

 On Fri, 26 Aug 2011 19:07:08 +1000, Alex wrote:
> 3 minutes! I think that's too long, how can I drop that down to about
> 45 seconds?
> On Fri, 26 Aug 2011 11:44:45 +0300, Timo Sirainen wrote:
>> On 26.8.2011, at 10.25, Alex wrote:
>>> Running Dovecot 2 on my server. It is regularly getting dictionary 
>>> auth attacked. What I have noticed is that once connected to a 
>>> pop3/imap login session, you can send endless incorrect 
>>> usernames+passwords attempts. This is a problem for me... I use 
>>> fail2ban to try and stop these script kiddies. The problem is that 
>>> fail2ban detects the bad auths, firewalls the IP, however, since it's 
>>> an "established" session, the attacker can keep authing away... It's 
>>> only on a subsequent (new) connection that the firewalling will take 
>>> effect.
>> Umm. If client hasn't managed to log in in 3 minutes, it's
>> disconnected (no matter what it does with the connection).

More information about the dovecot mailing list