[Dovecot] limiting number of incorrect logins per connection
Alexandre Chapellon
a.chapellon at horoa.net
Fri Aug 26 16:14:27 EEST 2011
fail2ban will work as soon as dovecot have closed a none-authenticated
connection: 3mins->180sec
If tarpit delay for auth failures in a connection is set to 15s (which
seems to be the default unless i missunderstood).... this let an
attackers only 12 tries (at most) before IP gets blacklisted by
fail2ban... Far enough to circumvent bruteforce and even dictionnary
based attacks... unless the attacker has a botnet and uses non
agressives retry policy. But in the last case, even if you blacklist IP
at first failed tried, you're still vuln to such attacks.
regards.
Le 26/08/2011 14:22, Felipe Scarel a écrit :
> Yeah, I had read about half of that thread, and after I sent my mail kept
> reading and stumbled upon this: "(...) using the recent module needs
> dovecotto close the connection upon authentication failure, as iptables only
> (normally) comes in to play for new connections (...)".
>
> So, yeah, my suggestion probably won't work.
>
> On Fri, Aug 26, 2011 at 09:15, Felipe Scarel<fbscarel at gmail.com> wrote:
>
>> Alex, I've not personally done it (so just speculating here, bear with me)
>> but you can customize Fail2Ban's actions if needed. So, if you can match the
>> attemps through some regex (and since you're seeing them in the logs, that
>> should be quite possible), then you can edit one of the 'actions' to drop
>> the connection for<ip>.
>>
>> I'm just not entirely sure that iptables (or pf, or whatever firewall
>> you've got) can do it to active connections, 'cause that problem hasn't
>> arised for me so far.
>>
>>
>> On Fri, Aug 26, 2011 at 06:14, Alex<alex at ahhyes.net> wrote:
>>
>>> I am happy to recompile if there is no config option. I gather it's in the
>>> src/auth dir somewhere in one of the C source files. Just need to be pointed
>>> in the right dir.
>>>
>>>
>>> On Fri, 26 Aug 2011 19:07:08 +1000, Alex wrote:
>>>
>>>> 3 minutes! I think that's too long, how can I drop that down to about
>>>> 45 seconds?
>>>>
>>>>
>>>> On Fri, 26 Aug 2011 11:44:45 +0300, Timo Sirainen wrote:
>>>>
>>>>> On 26.8.2011, at 10.25, Alex wrote:
>>>>>
>>>>> Running Dovecot 2 on my server. It is regularly getting dictionary auth
>>>>>> attacked. What I have noticed is that once connected to a pop3/imap login
>>>>>> session, you can send endless incorrect usernames+passwords attempts. This
>>>>>> is a problem for me... I use fail2ban to try and stop these script kiddies.
>>>>>> The problem is that fail2ban detects the bad auths, firewalls the IP,
>>>>>> however, since it's an "established" session, the attacker can keep authing
>>>>>> away... It's only on a subsequent (new) connection that the firewalling will
>>>>>> take effect.
>>>>>>
>>>>> Umm. If client hasn't managed to log in in 3 minutes, it's
>>>>> disconnected (no matter what it does with the connection).
>>>>>
--
<http://www.horoa.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: a_chapellon.vcf
Type: text/x-vcard
Size: 373 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20110826/aa5a801f/attachment-0002.vcf>
More information about the dovecot
mailing list