[Dovecot] Limit login attempts per connection?

Eric Rostetter rostetter at mail.utexas.edu
Fri Mar 5 22:20:50 EET 2010

Quoting Stan Hoeppner <stan at hardwarefreak.com>:

> It's good policy these days to use ipdeny.com cidr tables and ban all
> countries from your servers that will never need legitimate access to them.

It can be good policy...  But not always...

And it is certainly not a cure-all. If the people in those countries use
a proxy, or fake/spoof the IP, or use a mobile device where the IP of their
mobile device (smart phone, etc) isn't listed as being from their country,
they will bypass such checks.

You can try instead to block all spaces, and then allow only from certain IP
spaces (say, all US spaces, or all UK space, etc) but this leaves out many
legit spaces in that country which ipdeny.com missed, and has the same types
of problems as above as far as proxies, spoofing, etc.  This sounds good at
first, but when you think about it more it may actually be a worse approach
(block too much instead of block too little, resource savings aside).

>  If you're in the US, do you need to allow Chinese or Russian IP space to
> connect to your IMAP ports?

If you are in Higher Ed, the answer is almost always yes (unless you are
a very small school).  The use of VPN for students isn't very common, and
many faculty/staff hate VPN even though it is available to them.  And VPN
may not run on their smart-phone, netbook, etc.  Or they may want to use
it from an internet-cafe, a friend's house, a foreign university they
are visiting, airport wireless, etc.  (Security questions arising from
that aside...)

We _must_ allow access to our e-mail, web, and computation or general
purpose machines from all over the world.  Even if we provide VPN, HiEd
is not like a normal business in that we often can NOT force the users
to use the VPN access...

However, even in HiEd, we can still use ipdeny.com rules for our
internal-only machines...  For example, I use it on my network monitoring
machines since an insecure monitoring machine can quickly lead to all the
machines you monitor being insecure...

> If not, it's pretty simple to add iptables
> rules on all your servers to ban all the countries where a large amount of
> unauthorized connection attempts originate.

That can be a lot of rules...  As you noted in your post, that can be
a performance issue...  Plus there is the cost of keeping the rules
updated, etc.

I'm sure there are scripts around on the net to convert the ipdeny.com
files into iptables rules automatically, but there is still a cost there...

I believe there is also a "geoip" patch for iptables that will do a similar
job as the ipdeny.com lists...  I've not tried it though...

> Once you've got it set up and tuned it can work very well.

It can, in some cases, indeed.  But not in all cases...

I think you did a great service by pointing this out on the list, and
that many will find this a useful tip.  However, I'm not sure I agree
with your opening statement that "It's good policy" since that statement
is very broad, whereas policies are so site/application specific...

> --
> Stan

Eric Rostetter
The Department of Physics
The University of Texas at Austin

Go Longhorns!

More information about the dovecot mailing list