[Dovecot] v2.0.beta1 released
Ed W
lists at wildgooses.com
Wed Dec 16 14:01:31 EET 2009
Hmm, you raise some good points...
> This could be a problem, yes.. I probably have to make this configurable
> in some way. Or perhaps I could add some more code so that if only the
> same user+password combination (or a few of them) are the problem, it
> doesn't penalize. This feels familiar, I think I almost started coding
> that before. Or it's as if I already did, but I don't see the code..
>
Yeah, interesting idea to ignore a "stuck" login - this would help a lot
There are probably related ideas to look at number of incorrect
usernames from a given IP as well as number of wrong passwords, but
things get complicated fast. Also I think the trend is going to quickly
shift to distributed bruteforcing - I have already seen this a little
bit where you hardly see any one IP address login, but the log files as
a whole are seeing a lot of breakin attempts
> Should it not only delay *incorrect* logins? ie each time you get it
>> wrong then you get a penalty (which increases). Getting it right would
>> login instantly and slightly decrease the "got it wrong" penalty (or
>> perhaps it just time ages)?
>>
> That would also make the penalty pretty pointless. Attackers would just
> login, wait for half a second, assume it was a failed login, disconnect
> and connect again.
>
Good point...
I guess you could mark IPs which disconnect before receiving a "password
incorrect" message as being especially naughty? In fact this is
probably an excellent thing to log so that those with fail2ban kind of
things could trigger something if they see it? It would seem to be a
high probability sign of someone bruteforcing?
Perhaps this itself is enough to justify an option to allow valid logins
from an IP to proceed immediately? It doesn't help with a distributed
bruteforce, but really those are so slow (per IP) that it really makes
no odds if you tarpit them or not... Is this a reasonable compromise?
(allow correct logins immediately, optionally unless we see really
naughty behaviour of not waiting for the "incorrect" response from that
IP on failed logins?)
Nice new feature anyway! Cheers
Ed W
More information about the dovecot
mailing list