[Dovecot] limiting number of incorrect logins per connection
a.chapellon at horoa.net
Fri Aug 26 16:14:27 EEST 2011
fail2ban will work as soon as dovecot have closed a none-authenticated
If tarpit delay for auth failures in a connection is set to 15s (which
seems to be the default unless i missunderstood).... this let an
attackers only 12 tries (at most) before IP gets blacklisted by
fail2ban... Far enough to circumvent bruteforce and even dictionnary
based attacks... unless the attacker has a botnet and uses non
agressives retry policy. But in the last case, even if you blacklist IP
at first failed tried, you're still vuln to such attacks.
Le 26/08/2011 14:22, Felipe Scarel a écrit :
> Yeah, I had read about half of that thread, and after I sent my mail kept
> reading and stumbled upon this: "(...) using the recent module needs
> dovecotto close the connection upon authentication failure, as iptables only
> (normally) comes in to play for new connections (...)".
> So, yeah, my suggestion probably won't work.
> On Fri, Aug 26, 2011 at 09:15, Felipe Scarel<fbscarel at gmail.com> wrote:
>> Alex, I've not personally done it (so just speculating here, bear with me)
>> but you can customize Fail2Ban's actions if needed. So, if you can match the
>> attemps through some regex (and since you're seeing them in the logs, that
>> should be quite possible), then you can edit one of the 'actions' to drop
>> the connection for<ip>.
>> I'm just not entirely sure that iptables (or pf, or whatever firewall
>> you've got) can do it to active connections, 'cause that problem hasn't
>> arised for me so far.
>> On Fri, Aug 26, 2011 at 06:14, Alex<alex at ahhyes.net> wrote:
>>> I am happy to recompile if there is no config option. I gather it's in the
>>> src/auth dir somewhere in one of the C source files. Just need to be pointed
>>> in the right dir.
>>> On Fri, 26 Aug 2011 19:07:08 +1000, Alex wrote:
>>>> 3 minutes! I think that's too long, how can I drop that down to about
>>>> 45 seconds?
>>>> On Fri, 26 Aug 2011 11:44:45 +0300, Timo Sirainen wrote:
>>>>> On 26.8.2011, at 10.25, Alex wrote:
>>>>> Running Dovecot 2 on my server. It is regularly getting dictionary auth
>>>>>> attacked. What I have noticed is that once connected to a pop3/imap login
>>>>>> session, you can send endless incorrect usernames+passwords attempts. This
>>>>>> is a problem for me... I use fail2ban to try and stop these script kiddies.
>>>>>> The problem is that fail2ban detects the bad auths, firewalls the IP,
>>>>>> however, since it's an "established" session, the attacker can keep authing
>>>>>> away... It's only on a subsequent (new) connection that the firewalling will
>>>>>> take effect.
>>>>> Umm. If client hasn't managed to log in in 3 minutes, it's
>>>>> disconnected (no matter what it does with the connection).
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 373 bytes
Desc: not available
More information about the dovecot