[Dovecot] SQL/LDAP Lockouts?
Wouter Van Hemel
wouter-dovecot at fort-knox.rave.org
Fri Dec 10 20:23:48 EET 2004
On Fri, 10 Dec 2004, Ben Beuchler wrote:
> On Fri, Dec 10, 2004 at 11:29:42AM -0600, Ben Beuchler wrote:
>
>>> 1) If you get a good auth, you're in
>>> 2) If you get a bad auth, or the response takes more than n
>>> milliseconds/seconds, try the next password
>>
>> Is there any reason to make tarpitting logic non-persistent? It seems a
>> robust implementation would keep track of IPs that have failed logins.
>> Removing the record, of course, at the first successful login.
>
> This would, of course, be potentially vulnerable to a distributed
> attack...
>
>
That depends on how smart the tarpit routine is. And I think you already
need many thousands of machines before you can fill up a simple buffer
with ips, in case of a very dumb tarpit algorithm. IPs don't take up so
much space. IMHO, it's still better to try and slow them down (and perhaps
protect the other services on the machine with the delays, so you can e.g.
still receive email). Perhaps persistent caching would make things too
complicated, the point is to slow them down, even if they have to do only
2/3 of their attempts with tarpit delay, you already succeeded.
It does look quite difficult to brute force over the internet, without any
capable admin noticing millions of failed logins. Over an intranet it
would probably be faster though, and they might be in before it's noticed.
My experience tells me at least SMTP tarpitting does help protect the
servers when "#&%@! spammers visit your MTA instead of your baseball bat.
More information about the dovecot
mailing list