On Fri, 2011-06-10 at 11:22 +0200, Jürgen Obermann wrote:
Hello,
is it possible to limit the number of pop3 (or imap) login attempts
from one IP with dovecot to stop attackers? We recently had an attack
from one IP-address lasting 50 minutes that tried 50000 pop3-logins
with guessed users and passwords. I know about Fail2Ban but really
would prefer an easy to configure solution inside of dovecot. Dovecot
has this anvil daemon, can it be used for that purpose?We use dovcot version 2.0.12 under Solaris 10, the pop3-login part of
the configuration looking like that:
With v2.0 it was already limiting. It increased each login failure delay to 15 seconds before the failure was reported. Although maybe something wasn't working correctly, because 50k hits is more than I think should have been possible. Assuming you have default_process_limit=100 (default), there should have been a maximum of 20k attempts (100 processes / 15 seconds * 60*50 seconds).
Hmm. Maybe instead of simply increasing the failure delay, the IP could be disconnected immediately?