[Dovecot] Limit login attempts per connection?
Timo Sirainen
tss at iki.fi
Fri Mar 5 12:03:43 EET 2010
On Thu, 2010-03-04 at 23:43 -0500, Tony Nelson wrote:
> > I think it's a brilliant idea. After one login attempt, all others
> > on the same connection should fail.
>
> A fan! Anyway, there should at least be a choice. Not that I've coded
> a choice, just a dumb patch -- see attachment. It's a bit of a
> compromise, with a hard-coded limit of 4 attempts. Maybe I'll lower it
> to 2.
I think I'll change v2.0 to simply disconnect 3 minutes after the client
connected. With the tarpitting doubling the auth failure delay for up to
15 seconds, that allows maybe max. 15 auth attempts before being
disconnected. I don't really see why that would be too much, there's not
much brute forcing that can be done with 15 attempts..
(And this assumes that something externally blocks that IP by then. If
you disconnect without blocking the IP, they'll just reconnect and
continue so that won't help much. And banning IP for just 2-4 failed
auth attempts seems a bit too early.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20100305/9836e961/attachment.bin
More information about the dovecot
mailing list