[Dovecot] limiting number of login attempts from same ip
Maarten Bezemer
mcbdovecot at robuust.nl
Mon Jun 13 16:45:06 EEST 2011
On Mon, 13 Jun 2011, Timo Sirainen wrote:
> With v2.0 it was already limiting. It increased each login failure delay
> to 15 seconds before the failure was reported. Although maybe something
> wasn't working correctly, because 50k hits is more than I think should
> have been possible. Assuming you have default_process_limit=100
> (default), there should have been a maximum of 20k attempts (100
> processes / 15 seconds * 60*50 seconds).
I've also seen the reported type of dictionary attacks. Login failure
delay doesn't really help much for those... they just open numerous new
connections and only try 1 username/password on each connection. On one
server, that got me loads of messages like these in my logs:
Feb 13 00:40:46 poseidon kernel: TCP: drop open request from 64.73.242.138/1536
and
Feb 13 00:44:07 poseidon kernel: NET: 220 messages suppressed.
After being firewalled, it kept hammering on the pop3 port for 90 more
seconds, after which it probably found another door to hammer.
Although I wouldn't really mind if dovecot can be setup to handle this
"gracefully" but I'd say this is a more generic problem that is better
solved at network level than within dovecot. (So it can be used for other
services as well.)
--
Maarten
More information about the dovecot
mailing list