[Dovecot] Delay on failed pw attempts
Benjamin R. Haskell
dovecot at benizi.com
Wed Jan 2 10:33:03 EET 2008
On Tue, 1 Jan 2008, Asheesh Laroia wrote:
> On Tue, 1 Jan 2008, Dean Brooks wrote:
>
>> Hi,
>>
>> Is there a way, or can a way be added, to add an "auth_failed_delay=10s"
>> style option that would put in an artificial delay after a failed
>> password attempt?
>>
>> As it stands now, Dovecot seems highly vulnerable to widescale
>> brute-force password dictionary scans.
>
> But not if you secure access to Dovecot using e.g. fail2ban. Why is adding
> complexity to Dovecot better than using a dedicated tool?
>
I fell in the 'use another tool' (fail2ban or similar) camp the last time,
but this thread made me wonder:
Does fail2ban allow you to tarpit, rather than outright-ban, IP's? I've
always thought tarpitting the better option of the two. Seems sneakier
(Fight back without the attacker necessarily knowing you're fighting).
Best,
Ben
More information about the dovecot
mailing list