[Dovecot] Delay on failed pw attempts

Frank Kintrup frank.kintrup at fkware.com
Wed Jan 2 00:25:44 EET 2008



> Is there a way, or can a way be added, to add an "auth_failed_delay=10s"
> style option that would put in an artificial delay after a failed
> password attempt?

> As it stands now, Dovecot seems highly vulnerable to widescale
> brute-force password dictionary scans.

> Even if it's not configurable, can a delay be hardcoded to something
> like, say, 10 or 15 seconds?

> --
> Dean Brooks
> dean at iglou.com

I recently installed an application called Fail2Ban (http://www.fail2ban.org),
which scans log files and filters out failed login attempts. If a configurable
number of failed attempts from the same IP is found, the IP is blocked out via
iptables or hosts.deny for some time (default 10 minutes). Works pretty well
for SSH, though I'm still waiting for the first attempt on my IMAP or SMTP
ports ;-)

So instead of letting a brute force attack continue at a slower pace, Fail2Ban
locks out the attacking system for some time, while a legitimate user can
mistype his password at least once or twice without penalty. If he continues
to mistype his password, he probably deserves to wait ;-)

If anyone want's to try it, a working fail2ban-regex for dovecot 1.05 and
mysql is:

failregex = Info: auth-worker\(default\): sql\(.*,<HOST>\): Password mismatch
            Info: auth-worker\(default\): sql\(.*,<HOST>\): unknown user

Frank



More information about the dovecot mailing list