[Dovecot] Brute Force Blocking?
James Turnbull
james at lovedthanlost.net
Mon Dec 24 07:39:39 EET 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Bryan Bradsby wrote:
>> Anyway, today I had 8000 login attempts to my dovecot server in an
>> hour before blocking the IP with my firewall.
>>
>> After googling, I didn't see very much discussion on the topic. There
>> was some mention of blocksshd which was supposed to support dovecot in
>> the next release (but doesn't appear to) and also fail2ban. While a
>> script that parses logfiles will work, I'm not sure that this is the
>> best way to go about handling repeated authentication failure.
>
I wrote blocksshd and had intended to extend it to do Dovecot but
decided it was the wrong approach. I think the log parsing approach
works for quite well for SSH/FTP and similar simple applications. But
for other applications with more complex logic and potentially a wider
variety of threats then this function is probably better performed by
the application itself.
Hence I'd suggest that a 'limits' plug-in or some form of configurable
authentication governor in dovecot would be a better approach to counter
these sorts of attacks.
Regards
James Turnbull
P.S. Even for SSH/FTP sometimes a simple iptables tweak can also solve
a lot of your problems - depends on how granular you want your approach
to be.
- --
James Turnbull (james at lovedthanlost.net)
- --
Author of:
- - Pulling Strings with Puppet
(http://www.amazon.com/gp/product/1590599780/)
- - Pro Nagios 2.0
(http://www.amazon.com/gp/product/1590596099/)
- - Hardening Linux
(http://www.amazon.com/gp/product/1590594444/)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHb0Yb9hTGvAxC30ARAnKSAJ0eLtmVAWsiNOrkvWhna6j05ClUKwCggXS0
y1vm7q6g5m4ep3YeYsdxcJ4=
=M++J
-----END PGP SIGNATURE-----
More information about the dovecot
mailing list