Is there a way, or can a way be added, to add an "auth_failed_delay=10s" style option that would put in an artificial delay after a failed password attempt?
As it stands now, Dovecot seems highly vulnerable to widescale brute-force password dictionary scans.
Even if it's not configurable, can a delay be hardcoded to something like, say, 10 or 15 seconds?
-- Dean Brooks dean@iglou.com
I recently installed an application called Fail2Ban (http://www.fail2ban.org), which scans log files and filters out failed login attempts. If a configurable number of failed attempts from the same IP is found, the IP is blocked out via iptables or hosts.deny for some time (default 10 minutes). Works pretty well for SSH, though I'm still waiting for the first attempt on my IMAP or SMTP ports ;-)
So instead of letting a brute force attack continue at a slower pace, Fail2Ban locks out the attacking system for some time, while a legitimate user can mistype his password at least once or twice without penalty. If he continues to mistype his password, he probably deserves to wait ;-)
If anyone want's to try it, a working fail2ban-regex for dovecot 1.05 and mysql is:
failregex = Info: auth-worker\(default\): sql\(.*,<HOST>\): Password mismatch Info: auth-worker\(default\): sql\(.*,<HOST>\): unknown user
Frank