[Dovecot] Feature request: usernames and passwords

Pascal Volk user+dovecot at localhost.localdomain.org
Wed Jul 21 16:32:15 EEST 2010


On 07/21/2010 03:06 PM Leonardo Rodrigues wrote:
> 
>      i was thinking on something like ...
> 
> 1) after N tries (lets say 10 for example) of wrong username/password 
> combinations, dovecot could start delaying the answers for wrong 
> authentications coming from that specific IP address or IP/username, 
> thus slowing down the brute-force attacks;
> 1.1) or even, after some M (lets say 20 for example) wrong 
> username/password combinations, dovecot could ban that IP address (or IP 
> address/username combination to avoid problem with big networks with NAT 
> access) for XX seconds/minutes, also slowing down the brute-force attack 
> tries
> 1.2) this could probably be implemented using some in-memory internal 
> backend, so it would be absolutely independent on passdb schema and 
> would require no modifications on passdb schema.
> 

Install dovecot 2.0.rc3 and try to 'break in'. You will see how dovecot
slows down your 'attack'. When you test it with your botnet ( ;-) ), use
`doveadm penalty` to see current penalties.


Regards,
Pascal
-- 
The trapper recommends today: deadbeef.1020215 at localdomain.org


More information about the dovecot mailing list