[Dovecot] Delay on failed pw attempts
Gabriel Millerd
gmillerd at gmail.com
Wed Jan 2 11:06:56 EET 2008
On Jan 2, 2008 2:33 AM, Benjamin R. Haskell <dovecot at benizi.com> wrote:
> I fell in the 'use another tool' (fail2ban or similar) camp the last time,
> but this thread made me wonder:
>
> Does fail2ban allow you to tarpit, rather than outright-ban, IP's? I've
> always thought tarpitting the better option of the two. Seems sneakier
> (Fight back without the attacker necessarily knowing you're fighting).
>
fail2ban is just a log processor that is keyed to a netfilter-like
method, but modifying it to
"touch /var/tmp/.dovecotFailedAuth/$REMOTE_IP"
and then wrap the pop3/imap login_executable process with a lookup to
do this sort of tar pitting with
test -f /var/tmp/.dovecotFailedAuth/$REMOTE_IP && sleep 10
the variable names escape me and the wiki wasn't immediately helpful
to my tired eyes, I just couldn't find the wrapper example. if the
need is great i could write working perl script to do both ends and
work with memcache or something if you have multiple servers.
--
Gabriel Millerd
More information about the dovecot
mailing list