I'm in the process of rolling out new setups with dovecot on CentOS 5.2 and I notice that dovecot doesn't handle the brute-force attacks too nice. I reduced the limit a bit to some reasonable looking value: login_max_processes_count = 32 to stop them earlier and the number of processes stops at that figure when an attack happens. However, it stays at this count for hours although the attack is already over since long. For instance, my monitoring alerts me at the moment when the process count for pop3-login goes over 20 processes. This happened on three machines at 2 am with a brute-force attack from the same source that didn't last longer than a minute or so. However, the process count dropped only at 7am under 20 on two machines and on the third machine it was still over 20 when I was in the office at 9 am and finally killed them. As these machines are all not in production yet, there weren't any other logins and the single brute-force ended within one minute according to the logs (obviously when pop3-logins hit the limit). Shouldn't these processes go down to login_processes_count (3) within a few minutes? An strace shows that they are mostly doing gettimeofday lookups (=sleeping). This is the default dovecot (1.07) coming with CentOS 5.2. I've been running only one other instance of dovecot in production (0.99.11) on CentOS 4.6 so far and I don't know which behavior that displayed in the past as I just recognize that I accidentally ommitted it from monitoring. :-(
I had this mailing list searched for "brute-force" to see how others handle this and what dovecot provides to stop these attacks. I have found not many threads about this. There is one with a bit more information: "Delay on failed pw attempts" from January 1. Unfortunately, this functionality is only in a later version of dovecot and it's not clear if it was implemented or not or if it would be helpful. Was it implemented?
This thread also mentions fail2ban which may be one way to go, although I don't like this log parsing approach too much. Does anyone use iptables for rate-limiting per IP on the pop/imap ports to prevent brute-force attacks?
Kai
-- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com