[Dovecot] Brute Force Blocking?
Benjamin R. Haskell
dovecot at benizi.com
Fri Dec 21 01:49:25 EET 2007
On Thu, 20 Dec 2007, Peter Hessler wrote:
> On 2007 Dec 20 (Thu) at 15:51:02 -0500 (-0500), Benjamin R. Haskell wrote:
>> On Thu, 20 Dec 2007, Ben Cadieux wrote:
>>> Hi Everyone,
>>> Before I begin, I'd just like to mention: I love dovecot. Thank you :)
>>> Anyway, today I had 8000 login attempts to my dovecot server in an
>>> hour before blocking the IP with my firewall.
>>> After googling, I didn't see very much discussion on the topic. There
>>> was some mention of blocksshd which was supposed to support dovecot in
>>> the next release (but doesn't appear to) and also fail2ban. While a
>>> script that parses logfiles will work, I'm not sure that this is the
>>> best way to go about handling repeated authentication failure.
>>> Would it not be best built into dovecot? [...]
>> I'd vote "no", with the caveat that I don't use any of these tools.
>> Parsing logfiles might make it more brittle, but it also allows the tool to
>> protect many services in a generic way. I don't want to have to protect
>> against DOS or dictionary attacks for Apache, VSFTP, dovecot, sshd,
>> PostgreSQL, and whatever else in different config files. It'd be best to
>> handle that one layer up. Doing it outside of dovecot even allows
>> correlations to be made (e.g. ban sooner if the same IP is trying to break
>> both SSH and FTP). Don't know if the tools *do* this, but still.
>> That's my 2??,
>> Ben Haskell
> Except for the part where they stay connected forever, and keep
> retrying logins. One tcp connection, so nothing for the network level
> to look for.
I thought you had me, there. But, it's not at the "network" level, per se,
"one level up" conceptually, not necessarily up in the standard 7 layers.
The tools parse logfiles. dovecot and (I think) the others I mentioned log
an auth error after each failed attempt.
More information about the dovecot