[Dovecot] Limit login attempts per connection?
Stan Hoeppner
stan at hardwarefreak.com
Fri Mar 5 14:41:26 EET 2010
Ed W put forth on 3/5/2010 3:44 AM:
> ...but ... At least my public facing servers seem to be receiving
> trickle scans where there is definite evidence of a slow distributed
> bruteforcer which uses multiple IPs to try multiple usernames and I
> probably only see each IP a few times a day... This is quite hard to
> defend against without some kind of distributed system (and I believe
> there are such things?)
It's good policy these days to use ipdeny.com cidr tables and ban all
countries from your servers that will never need legitimate access to them.
If you're in the US, do you need to allow Chinese or Russian IP space to
connect to your IMAP ports? If not, it's pretty simple to add iptables
rules on all your servers to ban all the countries where a large amount of
unauthorized connection attempts originate.
This usually can't be done with off the shelf firewalls from the likes of
Cisco et al as they don't have enough memory. For a large server farm, it
would be better to have a Linux or NetBSD box running firewall duty for the
farm so you only have to load these rules once and eat cycles on only one
machine.
Also keep in mind that iptables load time for huge country files can be
pretty substantial. I experimented with this on an old dual 550 MHz machine
and it took something like 30 seconds to load just the China cidrs into
iptables. If you plan to load up multiple countries, initial iptables
loading might take a while.
Once you've got it set up and tuned it can work very well.
--
Stan
More information about the dovecot
mailing list