[Dovecot] limiting number of login attempts from same ip
Timo Sirainen
tss at iki.fi
Mon Jun 13 16:22:50 EEST 2011
On Fri, 2011-06-10 at 11:22 +0200, Jürgen Obermann wrote:
> Hello,
>
> is it possible to limit the number of pop3 (or imap) login attempts
> from one IP with dovecot to stop attackers? We recently had an attack
> from one IP-address lasting 50 minutes that tried 50000 pop3-logins
> with guessed users and passwords. I know about Fail2Ban but really
> would prefer an easy to configure solution inside of dovecot. Dovecot
> has this anvil daemon, can it be used for that purpose?
>
> We use dovcot version 2.0.12 under Solaris 10, the pop3-login part of
> the configuration looking like that:
With v2.0 it was already limiting. It increased each login failure delay
to 15 seconds before the failure was reported. Although maybe something
wasn't working correctly, because 50k hits is more than I think should
have been possible. Assuming you have default_process_limit=100
(default), there should have been a maximum of 20k attempts (100
processes / 15 seconds * 60*50 seconds).
Hmm. Maybe instead of simply increasing the failure delay, the IP could
be disconnected immediately?
More information about the dovecot
mailing list