[Dovecot] v2.0.beta1 released

Ed W lists at wildgooses.com
Wed Dec 16 14:01:31 EET 2009


Hmm, you raise some good points...

> This could be a problem, yes.. I probably have to make this configurable
> in some way. Or perhaps I could add some more code so that if only the
> same user+password combination (or a few of them) are the problem, it
> doesn't penalize. This feels familiar, I think I almost started coding
> that before. Or it's as if I already did, but I don't see the code..
>    

Yeah, interesting idea to ignore a "stuck" login - this would help a lot

There are probably related ideas to look at number of incorrect 
usernames from a given IP as well as number of wrong passwords, but 
things get complicated fast.  Also I think the trend is going to quickly 
shift to distributed bruteforcing - I have already seen this a little 
bit where you hardly see any one IP address login, but the log files as 
a whole are seeing a lot of breakin attempts


> Should it not only delay *incorrect* logins? ie each time you get it
>> wrong then you get a penalty (which increases).  Getting it right would
>> login instantly and slightly decrease the "got it wrong" penalty (or
>> perhaps it just time ages)?
>>      
> That would also make the penalty pretty pointless. Attackers would just
> login, wait for half a second, assume it was a failed login, disconnect
> and connect again.
>    

Good point...

I guess you could mark IPs which disconnect before receiving a "password 
incorrect" message as being especially naughty?  In fact this is 
probably an excellent thing to log so that those with fail2ban kind of 
things could trigger something if they see it?  It would seem to be a 
high probability sign of someone bruteforcing?

Perhaps this itself is enough to justify an option to allow valid logins 
from an IP to proceed immediately? It doesn't help with a distributed 
bruteforce, but really those are so slow (per IP) that it really makes 
no odds if you tarpit them or not...  Is this a reasonable compromise? 
(allow correct logins immediately, optionally unless we see really 
naughty behaviour of not waiting for the "incorrect" response from that 
IP on failed logins?)

Nice new feature anyway!  Cheers

Ed W




More information about the dovecot mailing list