[Dovecot] catching authentication failures with LDAP backend

Udo Rader listudo at bestsolution.at
Sat Dec 6 19:59:33 EET 2008


Udo Rader schrieb:
> Udo Rader schrieb:
>> Hi,
>>
>> we have recently been hit by a couple of brute force password attacks 
>> against dovecot. So what I want to do now is to add dovecot to 
>> fail2ban in order to block further attacks.
>>
>> However, I don't seem to be able to find out password verifification 
>> failures for our LDAP based user data.
>>
>> The only thing I see are loads of lines like these in the logfiles:
>>
>> -------CUT-------
>> dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: 
>> user=<ludovic>, method=PLAIN, rip=217.147.235.52, lip=81.16.98.99
>> dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=<luna>, 
>> method=PLAIN, rip=217.147.235.52, lip=81.16.98.99
>> dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=<luke>, 
>> method=PLAIN, rip=217.147.235.52, lip=81.16.98.99
>> -------CUT-------
>>
>> Googling the web I found that PAM based authentication obviously gives 
>> a matchable error message, but for some reasons the ldap backend does 
>> not - or does it?
>>
>> Any pointers highly appreciated :-)
> 
> Solved it myself, adding changing to "auth_verbose = yes" in 
> dovecot.conf solved it.
> 
> Any reasons why this isn't enabled by default?

And, on a final note, it would be good if authentication failures 
("password mismatch", "unknown user" etc.) got a higher log priority (ie 
warn), so that those failures can be filtered more easily.

--
Udo Rader, CTO
http://www.bestsolution.at



More information about the dovecot mailing list