On Thu, 20 Dec 2007, Peter Hessler wrote:
On 2007 Dec 20 (Thu) at 15:51:02 -0500 (-0500), Benjamin R. Haskell wrote:
On Thu, 20 Dec 2007, Ben Cadieux wrote:
Hi Everyone,
Before I begin, I'd just like to mention: I love dovecot. Thank you :)
Anyway, today I had 8000 login attempts to my dovecot server in an hour before blocking the IP with my firewall.
After googling, I didn't see very much discussion on the topic. There was some mention of blocksshd which was supposed to support dovecot in the next release (but doesn't appear to) and also fail2ban. While a script that parses logfiles will work, I'm not sure that this is the best way to go about handling repeated authentication failure.
Would it not be best built into dovecot? [...]
I'd vote "no", with the caveat that I don't use any of these tools.
Parsing logfiles might make it more brittle, but it also allows the tool to protect many services in a generic way. I don't want to have to protect against DOS or dictionary attacks for Apache, VSFTP, dovecot, sshd, PostgreSQL, and whatever else in different config files. It'd be best to handle that one layer up. Doing it outside of dovecot even allows correlations to be made (e.g. ban sooner if the same IP is trying to break both SSH and FTP). Don't know if the tools *do* this, but still.
That's my 2??, Ben Haskell
Except for the part where they stay connected forever, and keep retrying logins. One tcp connection, so nothing for the network level to look for.
I thought you had me, there. But, it's not at the "network" level, per se, "one level up" conceptually, not necessarily up in the standard 7 layers.
The tools parse logfiles. dovecot and (I think) the others I mentioned log an auth error after each failed attempt.
Best, Ben