[Dovecot] limiting number of login attempts from same ip

Maarten Bezemer mcbdovecot at robuust.nl
Mon Jun 13 16:45:06 EEST 2011


On Mon, 13 Jun 2011, Timo Sirainen wrote:

> With v2.0 it was already limiting. It increased each login failure delay
> to 15 seconds before the failure was reported. Although maybe something
> wasn't working correctly, because 50k hits is more than I think should
> have been possible. Assuming you have default_process_limit=100
> (default), there should have been a maximum of 20k attempts (100
> processes / 15 seconds * 60*50 seconds).

I've also seen the reported type of dictionary attacks. Login failure 
delay doesn't really help much for those... they just open numerous new 
connections and only try 1 username/password on each connection. On one 
server, that got me loads of messages like these in my logs:

Feb 13 00:40:46 poseidon kernel: TCP: drop open request from 64.73.242.138/1536

and

Feb 13 00:44:07 poseidon kernel: NET: 220 messages suppressed.

After being firewalled, it kept hammering on the pop3 port for 90 more 
seconds, after which it probably found another door to hammer.

Although I wouldn't really mind if dovecot can be setup to handle this 
"gracefully" but I'd say this is a more generic problem that is better 
solved at network level than within dovecot. (So it can be used for other 
services as well.)

-- 
Maarten


More information about the dovecot mailing list