[Dovecot] Delay on failed pw attempts

Stephen Usher Stephen.Usher at earth.ox.ac.uk
Wed Jan 2 01:21:50 EET 2008


On 1 Jan 2008, at 21:22, Timo Sirainen wrote:

> On Tue, 2008-01-01 at 15:59 -0500, Dean Brooks wrote:
>> Hi,
>>
>> Is there a way, or can a way be added, to add an  
>> "auth_failed_delay=10s"
>> style option that would put in an artificial delay after a failed
>> password attempt?
>>
>> As it stands now, Dovecot seems highly vulnerable to widescale
>> brute-force password dictionary scans.
>>
>> Even if it's not configurable, can a delay be hardcoded to something
>> like, say, 10 or 15 seconds?
>
> Failed auth requests are put to a queue that's flushed every 2  
> seconds.
> So there is already a delay. I don't think it's a good idea to  
> increase
> it up from 2 seconds, it just gets annoying when you type the wrong
> password accidentally.
>
> Although I suppose I could change the code so that it always waits 2
> seconds instead of flushing all of them.
>


Actually, a better method which would not inconvenience real users is  
to have an accumalative delay, i.e. the first error has a 1 second  
delay, the second 2 seconds, the third 4 seconds and so on. This  
should tar-pit any brute force attack, at least until the script  
kiddies just blast the server with a huge number of new connections to  
do the job.

Steve
---------------------------------------------------------------------------
Computer Systems Administrator,                E-Mail:-steve at earth.ox.ac.uk
Department of Earth Sciences,                     Tel:-  +44 (0)1865  
282110
University of Oxford, Parks Road, Oxford, UK.     Fax:-  +44 (0)1865  
272072






More information about the dovecot mailing list