[Dovecot] Limit login attempts per connection?

Timo Sirainen tss at iki.fi
Fri Mar 5 12:03:43 EET 2010

On Thu, 2010-03-04 at 23:43 -0500, Tony Nelson wrote:
> > I think it's a brilliant idea.  After one login attempt, all others
> > on the same connection should fail.
> A fan!  Anyway, there should at least be a choice.  Not that I've coded
> a choice, just a dumb patch -- see attachment.  It's a bit of a
> compromise, with a hard-coded limit of 4 attempts.  Maybe I'll lower it
> to 2.

I think I'll change v2.0 to simply disconnect 3 minutes after the client
connected. With the tarpitting doubling the auth failure delay for up to
15 seconds, that allows maybe max. 15 auth attempts before being
disconnected. I don't really see why that would be too much, there's not
much brute forcing that can be done with 15 attempts..

(And this assumes that something externally blocks that IP by then. If
you disconnect without blocking the IP, they'll just reconnect and
continue so that won't help much. And banning IP for just 2-4 failed
auth attempts seems a bit too early.)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20100305/9836e961/attachment.bin 

More information about the dovecot mailing list