[Dovecot] Brute Force Blocking?

James Turnbull james at lovedthanlost.net
Mon Dec 24 07:39:39 EET 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bryan Bradsby wrote:
>> Anyway, today I had 8000 login attempts to my dovecot server in an
>> hour before blocking the IP with my firewall.
>>
>> After googling, I didn't see very much discussion on the topic.  There
>> was some mention of blocksshd which was supposed to support dovecot in
>> the next release (but doesn't appear to) and also fail2ban.  While a
>> script that parses logfiles will work, I'm not sure that this is the
>> best way to go about handling repeated authentication failure.
> 

I wrote blocksshd and had intended to extend it to do Dovecot but
decided it was the wrong approach.  I think the log parsing approach
works for quite well for SSH/FTP and similar simple applications.  But
for other applications with more complex logic and potentially a wider
variety of threats then this function is probably better performed by
the application itself.

Hence I'd suggest that a 'limits' plug-in or some form of configurable
authentication governor in dovecot would be a better approach to counter
these sorts of attacks.

Regards

James Turnbull

P.S.  Even for SSH/FTP sometimes a simple iptables tweak can also solve
a lot of your problems - depends on how granular you want your approach
to be.

- --
James Turnbull (james at lovedthanlost.net)
- --
Author of:
- - Pulling Strings with Puppet
(http://www.amazon.com/gp/product/1590599780/)
- - Pro Nagios 2.0
(http://www.amazon.com/gp/product/1590596099/)
- - Hardening Linux
(http://www.amazon.com/gp/product/1590594444/)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHb0Yb9hTGvAxC30ARAnKSAJ0eLtmVAWsiNOrkvWhna6j05ClUKwCggXS0
y1vm7q6g5m4ep3YeYsdxcJ4=
=M++J
-----END PGP SIGNATURE-----


More information about the dovecot mailing list