Em 21/07/2010 09:18, Timo Sirainen escreveu:
I think this is one of the tons of different possible password policies and isn't really Dovecot's job. It really should be enforced while setting the password, not while checking it.
i completly agree that dovecot is not the place for enforcing
password policies nor checking them.
but, still on the subject, maybe dovecot could have some features
for helping sysadmins to avoid/mitigate brute-force attacks. As told, some bots tries username=password, but those fuckers (the bots) also tries lots of common passwords, 123, 1234, the username followed by some numbers, and lots of others.
of course, if the provided password is not correct, dovecot denies
access as it should .... but in those situations, logs can get pretty filled with login failed messages, specially on servers with lots of accounts. And, in some cases, after lots of tries, the bot can found the correct username/password combination.
i was thinking on something like ...
after N tries (lets say 10 for example) of wrong username/password combinations, dovecot could start delaying the answers for wrong authentications coming from that specific IP address or IP/username, thus slowing down the brute-force attacks; 1.1) or even, after some M (lets say 20 for example) wrong username/password combinations, dovecot could ban that IP address (or IP address/username combination to avoid problem with big networks with NAT access) for XX seconds/minutes, also slowing down the brute-force attack tries 1.2) this could probably be implemented using some in-memory internal backend, so it would be absolutely independent on passdb schema and would require no modifications on passdb schema.
the original message says about bot brute-force attacks, but we can be facing REAL brute-force attacks against a specific account .... and i think that some features to help mitigate those could indeed be interesting. And if those features exists, they could surely help on those brute-force attacks coming from dumb bots as well.
it wont solve the username=password specific case, but could help on real or bot brute-force attacks.
what do you think on that Timo ?
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email it