On Tue, 1 Jan 2008, Frank Kintrup wrote:
Is there a way, or can a way be added, to add an "auth_failed_delay=10s" style option that would put in an artificial delay after a failed password attempt?
As it stands now, Dovecot seems highly vulnerable to widescale brute-force password dictionary scans.
Even if it's not configurable, can a delay be hardcoded to something like, say, 10 or 15 seconds?
-- Dean Brooks dean@iglou.com
I recently installed an application called Fail2Ban (http://www.fail2ban.org), which scans log files and filters out failed login attempts. If a configurable number of failed attempts from the same IP is found, the IP is blocked out via iptables or hosts.deny for some time (default 10 minutes). Works pretty well for SSH, though I'm still waiting for the first attempt on my IMAP or SMTP ports ;-)
Oops, you beat me to it! (-:
Cheers....
Maybe you should write this up on the Dovecot wiki!
-- Asheesh.
-- Most people have a mind that's open by appointment only.