[Dovecot] Feature request: usernames and passwords
Martijn de Munnik
martijn+dovecot at youngguns.nl
Wed Jul 21 16:08:46 EEST 2010
Op 21 jul 2010, om 15:06 heeft Leonardo Rodrigues het volgende geschreven:
> Em 21/07/2010 09:18, Timo Sirainen escreveu:
>>
>> I think this is one of the tons of different possible password policies
>> and isn't really Dovecot's job. It really should be enforced while
>> setting the password, not while checking it.
>>
>>
>
> i completly agree that dovecot is not the place for enforcing password policies nor checking them.
>
> but, still on the subject, maybe dovecot could have some features for helping sysadmins to avoid/mitigate brute-force attacks. As told, some bots tries username=password, but those fuckers (the bots) also tries lots of common passwords, 123, 1234, the username followed by some numbers, and lots of others.
>
> of course, if the provided password is not correct, dovecot denies access as it should .... but in those situations, logs can get pretty filled with login failed messages, specially on servers with lots of accounts. And, in some cases, after lots of tries, the bot can found the correct username/password combination.
>
> i was thinking on something like ...
>
> 1) after N tries (lets say 10 for example) of wrong username/password combinations, dovecot could start delaying the answers for wrong authentications coming from that specific IP address or IP/username, thus slowing down the brute-force attacks;
> 1.1) or even, after some M (lets say 20 for example) wrong username/password combinations, dovecot could ban that IP address (or IP address/username combination to avoid problem with big networks with NAT access) for XX seconds/minutes, also slowing down the brute-force attack tries
> 1.2) this could probably be implemented using some in-memory internal backend, so it would be absolutely independent on passdb schema and would require no modifications on passdb schema.
>
> the original message says about bot brute-force attacks, but we can be facing REAL brute-force attacks against a specific account .... and i think that some features to help mitigate those could indeed be interesting. And if those features exists, they could surely help on those brute-force attacks coming from dumb bots as well.
>
> it wont solve the username=password specific case, but could help on real or bot brute-force attacks.
>
> what do you think on that Timo ?
Have a look at fail2ban, this is exactly what you need.
>
>
> --
>
>
> Atenciosamente / Sincerily,
> Leonardo Rodrigues
> Solutti Tecnologia
> http://www.solutti.com.br
>
> Minha armadilha de SPAM, NÃO mandem email
> gertrudes at solutti.com.br
> My SPAMTRAP, do not email it
>
>
>
>
YoungGuns
Kasteleinenkampweg 7b
5222 AX 's-Hertogenbosch
T. 073 623 56 40
F. 073 623 56 39
www.youngguns.nl
KvK 18076568
More information about the dovecot
mailing list