On Fri, 2009-06-26 at 02:01 -0700, V S Rao wrote:
Timo Wrote: You can also just decrease login_process_max_count
Wouldn't decreasing the login_process_max_count simply create more problems. Now users will start experiencing timeouts sooner than before, because whatever is causing the login processes to increase (attack, rogue process or whatever) will *always* be trying to login and genuine users will be denied login. So without knowing the root cause of the issue simply decreasing or increasing the login_process_max_count will lead to other problems. Correct me if I am wrong.
Depends on the attacker. Dovecot will always drop the oldest connection. So if attacker is authenticating multiple times in a single session, it's pretty much always the oldest connection that gets killed first. If attacker logins once and then disconnects, I think Dovecot still kills those processes sooner than others, because they're waiting a couple of seconds for "authentication failed".