[Dovecot] Brute Force Blocking?

Peter Hessler phessler at theapt.org
Fri Dec 21 01:21:37 EET 2007


On 2007 Dec 20 (Thu) at 15:51:02 -0500 (-0500), Benjamin R. Haskell wrote:
> On Thu, 20 Dec 2007, Ben Cadieux wrote:
>
>> Hi Everyone,
>>
>> Before I begin, I'd just like to mention: I love dovecot.  Thank you :)
>>
>> Anyway, today I had 8000 login attempts to my dovecot server in an
>> hour before blocking the IP with my firewall.
>>
>> After googling, I didn't see very much discussion on the topic.  There
>> was some mention of blocksshd which was supposed to support dovecot in
>> the next release (but doesn't appear to) and also fail2ban.  While a
>> script that parses logfiles will work, I'm not sure that this is the
>> best way to go about handling repeated authentication failure.
>>
>> Would it not be best built into dovecot? [...]
>>
>
> I'd vote "no", with the caveat that I don't use any of these tools.
>
> Parsing logfiles might make it more brittle, but it also allows the tool to 
> protect many services in a generic way. I don't want to have to protect 
> against DOS or dictionary attacks for Apache, VSFTP, dovecot, sshd, 
> PostgreSQL, and whatever else in different config files. It'd be best to 
> handle that one layer up. Doing it outside of dovecot even allows 
> correlations to be made (e.g. ban sooner if the same IP is trying to break 
> both SSH and FTP). Don't know if the tools *do* this, but still.
>
> That's my 2??,
> Ben Haskell


Except for the part where they stay connected forever, and keep 
retrying logins.  One tcp connection, so nothing for the network level 
to look for.


-- 
The United States is like the guy at the party who gives cocaine to
everybody and still nobody likes him.
		-- Jim Samuels


More information about the dovecot mailing list