On 9/2/2013 8:59 PM, other@ahhyes.net wrote:
Hi Guys,
I was really hoping a couple of years later this would be addressed... I'm running Dovecot 2.2.5 on FreeBSD.
Is there anyway to limit the number of auth attempts allowed in a single session? The reason for this is because I have "fail2ban" setup to firewall out any IP addresses that repeatedly auth fails. The issue occurs when the connection is already in an "established" state and the attacker uses the existing session to hammer away, fail2ban becomes ineffective as dovecot appears to allow the person to attempt authentication ad infinitum.
It would be nice if there was config option that would for example cause the software to close the connection after X failed attempts. I use "pf" as the firewall on FreeBSD.
The secret is the "pfctl -k IP" command to drop state for the offending IP. Just add it to your fail2ban action command. action = /sbin/pfctl {whatever you have now} && /sbin/pfctl -k <ip>
A nice writeup of fail2ban and pf can be found here: http://www.effu.se/2011/03/Integrating-PF-with-Fail2ban-0.9
-- Noel Jones