[Dovecot] limiting number of incorrect logins per connection
fbscarel at gmail.com
Fri Aug 26 15:15:18 EEST 2011
Alex, I've not personally done it (so just speculating here, bear with me)
but you can customize Fail2Ban's actions if needed. So, if you can match the
attemps through some regex (and since you're seeing them in the logs, that
should be quite possible), then you can edit one of the 'actions' to drop
the connection for <ip>.
I'm just not entirely sure that iptables (or pf, or whatever firewall you've
got) can do it to active connections, 'cause that problem hasn't arised for
me so far.
On Fri, Aug 26, 2011 at 06:14, Alex <alex at ahhyes.net> wrote:
> I am happy to recompile if there is no config option. I gather it's in the
> src/auth dir somewhere in one of the C source files. Just need to be pointed
> in the right dir.
> On Fri, 26 Aug 2011 19:07:08 +1000, Alex wrote:
>> 3 minutes! I think that's too long, how can I drop that down to about
>> 45 seconds?
>> On Fri, 26 Aug 2011 11:44:45 +0300, Timo Sirainen wrote:
>>> On 26.8.2011, at 10.25, Alex wrote:
>>> Running Dovecot 2 on my server. It is regularly getting dictionary auth
>>>> attacked. What I have noticed is that once connected to a pop3/imap login
>>>> session, you can send endless incorrect usernames+passwords attempts. This
>>>> is a problem for me... I use fail2ban to try and stop these script kiddies.
>>>> The problem is that fail2ban detects the bad auths, firewalls the IP,
>>>> however, since it's an "established" session, the attacker can keep authing
>>>> away... It's only on a subsequent (new) connection that the firewalling will
>>>> take effect.
>>> Umm. If client hasn't managed to log in in 3 minutes, it's
>>> disconnected (no matter what it does with the connection).
More information about the dovecot