[Dovecot] Delay on failed pw attempts
Asheesh Laroia
asheesh at asheesh.org
Wed Jan 2 01:51:21 EET 2008
On Tue, 1 Jan 2008, Frank Kintrup wrote:
>> Is there a way, or can a way be added, to add an
>> "auth_failed_delay=10s" style option that would put in an artificial
>> delay after a failed password attempt?
>
>> As it stands now, Dovecot seems highly vulnerable to widescale
>> brute-force password dictionary scans.
>
>> Even if it's not configurable, can a delay be hardcoded to something
>> like, say, 10 or 15 seconds?
>
>> -- Dean Brooks dean at iglou.com
>
> I recently installed an application called Fail2Ban
> (http://www.fail2ban.org), which scans log files and filters out failed
> login attempts. If a configurable number of failed attempts from the
> same IP is found, the IP is blocked out via iptables or hosts.deny for
> some time (default 10 minutes). Works pretty well for SSH, though I'm
> still waiting for the first attempt on my IMAP or SMTP ports ;-)
Oops, you beat me to it! (-:
Cheers....
Maybe you should write this up on the Dovecot wiki!
-- Asheesh.
--
Most people have a mind that's open by appointment only.
More information about the dovecot
mailing list