[Dovecot] limiting number of login attempts from same ip
Duane Hill
duane at duanemail.org
Fri Jun 10 13:06:22 EEST 2011
Friday, June 10, 2011, 4:22:26 AM, Jürgen wrote:
> Hello,
> is it possible to limit the number of pop3 (or imap) login attempts
> from one IP with dovecot to stop attackers? We recently had an attack
> from one IP-address lasting 50 minutes that tried 50000 pop3-logins
> with guessed users and passwords. I know about Fail2Ban but really
> would prefer an easy to configure solution inside of dovecot. Dovecot
> has this anvil daemon, can it be used for that purpose?
> We use dovcot version 2.0.12 under Solaris 10, the pop3-login part of
> the configuration looking like that:
> service pop3-login {
> chroot = login
> client_limit = 0
> drop_priv_before_exec = no
> executable = pop3-login
> extra_groups =
> group =
> idle_kill = 0
> inet_listener pop3 {
> address =
> port = 110
> ssl = no
> }
> inet_listener pop3s {
> address =
> port = 995
> ssl = yes
> }
> privileged_group =
> process_limit = 0
> process_min_avail = 0
> protocol = pop3
> service_count = 1
> type = login
> user = $default_login_user
> vsz_limit = 64 M
> }
You can thwart (to some degree) failed login attempts by increasing
auth_failure_delay. I currently have the parameter set at 5 seconds.
Its default is 2 seconds.
I also have set auth_verbose = yes and auth_verbose_passwords = sha1
and have a cron job set up to search the logs for the day before using:
bzegrep -i 'password.mismatch' /var/log/maillog.0.bz2
I get an email message showing the failed login attempts from the
previous day.
Someone else suggested using fail2ban which is good. I have sshguard
set up myself.
--
Best regards,
Duane mailto:duane at duanemail.org
More information about the dovecot
mailing list