Authentication Penalty with ID x-originating-ip, HAproxy
Tobias
lists.zxinn at otaking.se
Fri Jun 24 08:11:11 UTC 2016
A quick test confirms that HAproxy header IP information does properly
delay the authentication failures upon successive failed login attempts
from the same IP.
And furthermore if the webmail client is delayed on the IMAP level, this
could potentially be exploited for DoS and as such may not be a good
idea after all. Even with the auth_failure_delay=2 by default this is
possible, but it's much easier to achieve the DoS if the pre-auth delay
increases to 17 seconds (maximum delay I've observed).
Is there any other brute force / DoS mitigation option for dovecot /
webmail interaction, short of fail2ban type IP blocking in a firewall
(which will not work on a machine several layers deep behind e.g. a
proxy), that isn't exclusively relying on the webmail client for such
mitigation?
Can dovecot itself temp-ban remote IPs (as reported by HAproxy protocol,
or IMAP ID x-originating-ip), perhaps with a notice to try again in X
seconds, instead of delaying them?
/Tobias
On 2016-06-24 13:27, Tobias wrote:
> The wiki states that anvil's authentication penalties are skipped when
> IP is in login_trusted_networks.
> http://wiki.dovecot.org/Authentication/Penalty
>
> Is there a way to enable the authentication penalties for specific
> advertised remote IPs, when the connecting IP is in
> "login_trusted_networks", and it advertises the originating remote IP
> via 'ID ("x-originating-ip", "<remote-ip>")'?
>
> And with regards to HAproxy, is anvil's authentication penalties by
> default transparent with regards to the remote IP advertised in the
> proxy protocol header?
>
> /Tobias
More information about the dovecot
mailing list