[Dovecot] Feature request: usernames and passwords
Leonardo Rodrigues
leolistas at solutti.com.br
Wed Jul 21 16:06:17 EEST 2010
Em 21/07/2010 09:18, Timo Sirainen escreveu:
>
> I think this is one of the tons of different possible password policies
> and isn't really Dovecot's job. It really should be enforced while
> setting the password, not while checking it.
>
>
i completly agree that dovecot is not the place for enforcing
password policies nor checking them.
but, still on the subject, maybe dovecot could have some features
for helping sysadmins to avoid/mitigate brute-force attacks. As told,
some bots tries username=password, but those fuckers (the bots) also
tries lots of common passwords, 123, 1234, the username followed by some
numbers, and lots of others.
of course, if the provided password is not correct, dovecot denies
access as it should .... but in those situations, logs can get pretty
filled with login failed messages, specially on servers with lots of
accounts. And, in some cases, after lots of tries, the bot can found the
correct username/password combination.
i was thinking on something like ...
1) after N tries (lets say 10 for example) of wrong username/password
combinations, dovecot could start delaying the answers for wrong
authentications coming from that specific IP address or IP/username,
thus slowing down the brute-force attacks;
1.1) or even, after some M (lets say 20 for example) wrong
username/password combinations, dovecot could ban that IP address (or IP
address/username combination to avoid problem with big networks with NAT
access) for XX seconds/minutes, also slowing down the brute-force attack
tries
1.2) this could probably be implemented using some in-memory internal
backend, so it would be absolutely independent on passdb schema and
would require no modifications on passdb schema.
the original message says about bot brute-force attacks, but we can
be facing REAL brute-force attacks against a specific account .... and i
think that some features to help mitigate those could indeed be
interesting. And if those features exists, they could surely help on
those brute-force attacks coming from dumb bots as well.
it wont solve the username=password specific case, but could help
on real or bot brute-force attacks.
what do you think on that Timo ?
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes at solutti.com.br
My SPAMTRAP, do not email it
More information about the dovecot
mailing list