[Dovecot] Feature request: usernames and passwords
Pascal Volk
user+dovecot at localhost.localdomain.org
Wed Jul 21 16:32:15 EEST 2010
On 07/21/2010 03:06 PM Leonardo Rodrigues wrote:
>
> i was thinking on something like ...
>
> 1) after N tries (lets say 10 for example) of wrong username/password
> combinations, dovecot could start delaying the answers for wrong
> authentications coming from that specific IP address or IP/username,
> thus slowing down the brute-force attacks;
> 1.1) or even, after some M (lets say 20 for example) wrong
> username/password combinations, dovecot could ban that IP address (or IP
> address/username combination to avoid problem with big networks with NAT
> access) for XX seconds/minutes, also slowing down the brute-force attack
> tries
> 1.2) this could probably be implemented using some in-memory internal
> backend, so it would be absolutely independent on passdb schema and
> would require no modifications on passdb schema.
>
Install dovecot 2.0.rc3 and try to 'break in'. You will see how dovecot
slows down your 'attack'. When you test it with your botnet ( ;-) ), use
`doveadm penalty` to see current penalties.
Regards,
Pascal
--
The trapper recommends today: deadbeef.1020215 at localdomain.org
More information about the dovecot
mailing list