Friday, June 10, 2011, 4:22:26 AM, Jürgen wrote:
Hello,
is it possible to limit the number of pop3 (or imap) login attempts
from one IP with dovecot to stop attackers? We recently had an attack from one IP-address lasting 50 minutes that tried 50000 pop3-logins
with guessed users and passwords. I know about Fail2Ban but really
would prefer an easy to configure solution inside of dovecot. Dovecot has this anvil daemon, can it be used for that purpose?
We use dovcot version 2.0.12 under Solaris 10, the pop3-login part of the configuration looking like that:
service pop3-login { chroot = login client_limit = 0 drop_priv_before_exec = no executable = pop3-login extra_groups = group = idle_kill = 0 inet_listener pop3 { address = port = 110 ssl = no } inet_listener pop3s { address = port = 995 ssl = yes } privileged_group = process_limit = 0 process_min_avail = 0 protocol = pop3 service_count = 1 type = login user = $default_login_user vsz_limit = 64 M }
You can thwart (to some degree) failed login attempts by increasing auth_failure_delay. I currently have the parameter set at 5 seconds. Its default is 2 seconds.
I also have set auth_verbose = yes and auth_verbose_passwords = sha1 and have a cron job set up to search the logs for the day before using:
bzegrep -i 'password.mismatch' /var/log/maillog.0.bz2I get an email message showing the failed login attempts from the previous day.
Someone else suggested using fail2ban which is good. I have sshguard set up myself.
-- Best regards, Duane mailto:duane@duanemail.org