-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Bryan Bradsby wrote:
Anyway, today I had 8000 login attempts to my dovecot server in an hour before blocking the IP with my firewall.
After googling, I didn't see very much discussion on the topic. There was some mention of blocksshd which was supposed to support dovecot in the next release (but doesn't appear to) and also fail2ban. While a script that parses logfiles will work, I'm not sure that this is the best way to go about handling repeated authentication failure.
I wrote blocksshd and had intended to extend it to do Dovecot but decided it was the wrong approach. I think the log parsing approach works for quite well for SSH/FTP and similar simple applications. But for other applications with more complex logic and potentially a wider variety of threats then this function is probably better performed by the application itself.
Hence I'd suggest that a 'limits' plug-in or some form of configurable authentication governor in dovecot would be a better approach to counter these sorts of attacks.
Regards
James Turnbull
P.S. Even for SSH/FTP sometimes a simple iptables tweak can also solve a lot of your problems - depends on how granular you want your approach to be.
James Turnbull (james@lovedthanlost.net)
Author of:
- Pulling Strings with Puppet (http://www.amazon.com/gp/product/1590599780/)
- Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/)
- Hardening Linux (http://www.amazon.com/gp/product/1590594444/) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHb0Yb9hTGvAxC30ARAnKSAJ0eLtmVAWsiNOrkvWhna6j05ClUKwCggXS0 y1vm7q6g5m4ep3YeYsdxcJ4= =M++J -----END PGP SIGNATURE-----