[Dovecot] Brute Force Blocking?

Benjamin R. Haskell dovecot at benizi.com
Fri Dec 21 01:49:25 EET 2007


On Thu, 20 Dec 2007, Peter Hessler wrote:
> On 2007 Dec 20 (Thu) at 15:51:02 -0500 (-0500), Benjamin R. Haskell wrote:
>> On Thu, 20 Dec 2007, Ben Cadieux wrote:
>>
>>> Hi Everyone,
>>>
>>> Before I begin, I'd just like to mention: I love dovecot.  Thank you :)
>>>
>>> Anyway, today I had 8000 login attempts to my dovecot server in an
>>> hour before blocking the IP with my firewall.
>>>
>>> After googling, I didn't see very much discussion on the topic.  There
>>> was some mention of blocksshd which was supposed to support dovecot in
>>> the next release (but doesn't appear to) and also fail2ban.  While a
>>> script that parses logfiles will work, I'm not sure that this is the
>>> best way to go about handling repeated authentication failure.
>>>
>>> Would it not be best built into dovecot? [...]
>>>
>>
>> I'd vote "no", with the caveat that I don't use any of these tools.
>>
>> Parsing logfiles might make it more brittle, but it also allows the tool to
>> protect many services in a generic way. I don't want to have to protect
>> against DOS or dictionary attacks for Apache, VSFTP, dovecot, sshd,
>> PostgreSQL, and whatever else in different config files. It'd be best to
>> handle that one layer up. Doing it outside of dovecot even allows
>> correlations to be made (e.g. ban sooner if the same IP is trying to break
>> both SSH and FTP). Don't know if the tools *do* this, but still.
>>
>> That's my 2??,
>> Ben Haskell
>
>
> Except for the part where they stay connected forever, and keep
> retrying logins.  One tcp connection, so nothing for the network level
> to look for.

I thought you had me, there. But, it's not at the "network" level, per se, 
"one level up" conceptually, not necessarily up in the standard 7 layers.

The tools parse logfiles. dovecot and (I think) the others I mentioned log 
an auth error after each failed attempt.

Best,
Ben


More information about the dovecot mailing list