Hi.
Earlier today I was hit with 612 login attempts in 7 minutes. They
ramped up slowly, too. :-)
They quickly hit the file descriptor limit. And then a login server
spawned and died so quickly that dovecot just died.
My question is, is there a way to throttle the number of login
connections? I'm doing it in my firewall now, but it would be nice
to be able to say something like "max-login-attempts: X" before we
blacklist the IP (for some configurable time).
yeah, I know V4.2 :-)
By the way, I *really* appreciate all the effort that's gone into
Dovecot. Great work, everyone.
Sean
On Mon, 2007-03-19 at 19:46 -0700, Sean Kamath wrote:
Earlier today I was hit with 612 login attempts in 7 minutes. They
ramped up slowly, too. :-)They quickly hit the file descriptor limit. And then a login server
spawned and died so quickly that dovecot just died.My question is, is there a way to throttle the number of login
connections? I'm doing it in my firewall now, but it would be nice
to be able to say something like "max-login-attempts: X" before we
blacklist the IP (for some configurable time).
I think it's just simpler to configure your system to handle such load. :) Give Dovecot enough file descriptors, or reduce the number of allowed login processes / connections. See http://wiki.dovecot.org/LoginProcess
Or are you using PAM? That could also be the problem since it forks new processes, and authentication cache doesn't work very well with it either.
http://dovecot.org/tools/imaptest.c is a nice tool to try stress testing logins. Use it something like: imaptest user=dummy password=something clients=100 - select=0
Some people want to limit number of connections coming to one user, so this kind of blacklisting feature could be implemented at the same time. Maybe for v2.0 or something..
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mar 21, 2007, at 11:22 AM, Timo Sirainen wrote:
http://dovecot.org/tools/imaptest.c is a nice tool to try stress
testing logins. Use it something like: imaptest user=dummy password=something clients=100 - select=0
The issue is not to be able to let someone run even more attempts at
logging in faster. . . :-)
Some people want to limit number of connections coming to one user, so this kind of blacklisting feature could be implemented at the same
time. Maybe for v2.0 or something..
Yeah, I know, and that's fine. What I'm hoping for is something like
"if host X connects 600 times, start telling it to go away for a few
hours". :-)
Sean -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin)
iD8DBQFGAhiUA7vyqo9ewCgRAllKAJ0XvV1QX8R117tJG0UUiFLT3RlL1QCeMksx aV8g3GdQ6X+8boMxQe+EO1w= =mlIA -----END PGP SIGNATURE-----
participants (2)
-
Sean Kamath
-
Timo Sirainen