[Dovecot] Delay on failed pw attempts

Ian Kumlien pomac at vapor.com
Wed Jan 2 02:30:12 EET 2008 

On tis, 2008-01-01 at 19:15 -0500, Dean Brooks wrote:
> On Tue, Jan 01, 2008 at 03:46:23PM -0800, Asheesh Laroia wrote:
> > On Tue, 1 Jan 2008, Dean Brooks wrote:
> > >Is there a way, or can a way be added, to add an "auth_failed_delay=10s"
> > >style option that would put in an artificial delay after a failed
> > >password attempt?
> > >
> > >As it stands now, Dovecot seems highly vulnerable to widescale
> > >brute-force password dictionary scans.
> > 
> > But not if you secure access to Dovecot using e.g. fail2ban.  Why is 
> > adding complexity to Dovecot better than using a dedicated tool?
> 
> Not everyone runs Linux (i.e. iptables) and Dovecot doesn't
> appear to have imbedded tcpwrappers support (i.e. forces you to
> run it under inetd which is not always desirable).  One or the other
> is a prerequisite for fail2ban.
> 
> Plus, I don't consider adding these features "added complexity".  On
> the contrary, I feel like ANY software that accepts incoming public
> TCP connections has an obligation to implement some basic controls to
> limit the resources it consumes.  The lack of these kinds of controls are
> what result in most application-level DDOS attacks.
> 
> In the case of IMAP or POP, a minimum of controls would be max
> connections, max connections per IP and max auth failures.
> 
> Using a program to effectively "tail -f" a logfile in realtime is a
> hack.  Logfile formats change, logfile locations change, not everyone
> uses syslog, etc.  It also assumes that logfiles are stored in a
> centralized location which is often not the case in a large
> distributed network.  Throw in network load-balancers in a server farm
> and something like fail2ban becomes a real headache.

uhm, i'd rather say that it assumed you don't save log files in a
centralized location. It assumes you run the log file tail on the same
machine as the application itself, but you might have a environment
where all log files end up on one centralized machine instead.

> Hey, it's just my opinion, but keep in mind some people are running
> Dovecot in very large environments, and Linux isn't even anywhere
> in our equation.
> 
> --
> Dean Brooks
> dean at iglou.com
-- 
Ian Kumlien <pomac () vapor ! com> -- http://pomac.netswarm.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20080102/7b92998d/attachment.bin

More information about the dovecot mailing list