On Tue, Jan 01, 2008 at 11:22:31PM +0200, Timo Sirainen wrote:
On Tue, 2008-01-01 at 15:59 -0500, Dean Brooks wrote:
Is there a way, or can a way be added, to add an "auth_failed_delay=10s" style option that would put in an artificial delay after a failed password attempt?
As it stands now, Dovecot seems highly vulnerable to widescale brute-force password dictionary scans.
Even if it's not configurable, can a delay be hardcoded to something like, say, 10 or 15 seconds?
Failed auth requests are put to a queue that's flushed every 2 seconds. So there is already a delay. I don't think it's a good idea to increase it up from 2 seconds, it just gets annoying when you type the wrong password accidentally.
I think the majority of Dovecot users would propose that 2 seconds is much too short, and that the annoyance of an occasional rare wrong password is of little concern given the high number of dictionary attacks occuring nowadays.
This *really* needs to be configurable. For our site, I would probably set the delay to 15 seconds. Others might want it at the very low 2 seconds like you suggest.
I suppose I could spend the development time to do this and then post my patch on the Wiki for everyone who needs it, but it seems like this would be better done in the official sources instead of requiring everyone to download a one-off patch.
-- Dean Brooks dean@iglou.com