[Dovecot] Configure unsuccessful login attempts
Hi, using PAM, how can I configure how many attempts a user can make to connect, and if exceeding a certain number, block him for a specified amount of time?
Any idea what the defaults are?
On 06/03/2010 12:55 PM Greg Pearson wrote:
Hi, using PAM, how can I configure how many attempts a user can make to connect, and if exceeding a certain number, block him for a specified amount of time?
Any idea what the defaults are?
You could use fail2ban, see also: http://wiki.dovecot.org/HowTo/Fail2Ban
Regards, Pascal
The trapper recommends today: f007ba11.1015412@localdomain.org
You could use fail2ban, see also: http://wiki.dovecot.org/HowTo/Fail2Ban
So I guess the result would be to the login process become unresponsive, right? I am not sure this would be what I want. The desired behaviour for me would be to reject the connection even if the password becomes correct after several failures. I realise this would not help under DoS scenarios (in which I think fail2ban is targetting). I will give it a try, of course, but I was wondering if another approach is possible. Generally speaking, it would be really nice if Dovecot itself had such options.
On 6/3/2010 7:13 AM, Greg Pearson wrote:
You could use fail2ban, see also: http://wiki.dovecot.org/HowTo/Fail2Ban
So I guess the result would be to the login process become unresponsive, right? I am not sure this would be what I want. The desired behaviour for me would be to reject the connection even if the password becomes correct after several failures. I realise this would not help under DoS scenarios (in which I think fail2ban is targetting). I will give it a try, of course, but I was wondering if another approach is possible. Generally speaking, it would be really nice if Dovecot itself had such options.
You don't have to use iptables to block it, with fail2ban. You can have fail2ban change the entry in your Mysql table, if you have an "active" field on the table for each user, to not active and, when the ban period you set is up, fail2ban can change the active field back to active.
this should cause the mail client to say "your account is either locked or not active"
E-mail me if you want help with this.
Jerrale
On 06/03/2010 01:55 PM, Greg Pearson wrote:
using PAM, how can I configure how many attempts a user can make to connect, and if exceeding a certain number, block him for a specified amount of time?
man 8 pam_tally man 8 pam_tally2
Any idea what the defaults are?
Default is not to block
-- Eray
Hi, using PAM, how can I configure how many attempts a user can make to connect, and if exceeding a certain number, block him for a specified amount of time?
Any idea what the defaults are? If pam make a log entry, then fail2ban will do whatever you want. Search fail2ban pam on google after installing fail2ban. Fail2ban requires
On 6/3/2010 6:55 AM, Greg Pearson wrote: python 2.4 or greater which your system should already have.
participants (4)
-
Eray Aslan
-
Greg Pearson
-
Jerrale Gayle
-
Pascal Volk