[Dovecot] limiting number of incorrect logins per connection

Alexandre Chapellon a.chapellon at horoa.net
Fri Aug 26 16:14:27 EEST 2011


fail2ban will work as soon as dovecot have closed a none-authenticated 
connection: 3mins->180sec
If tarpit delay for auth failures in a connection is set to 15s (which 
seems to be the default unless i missunderstood).... this let an 
attackers only 12 tries (at most) before IP gets blacklisted by 
fail2ban... Far enough to circumvent bruteforce and even dictionnary 
based attacks... unless the attacker has a botnet and uses non 
agressives retry policy. But in the last case, even if you blacklist IP 
at first failed  tried, you're still vuln to such attacks.

regards.

Le 26/08/2011 14:22, Felipe Scarel a écrit :
> Yeah, I had read about half of that thread, and after I sent my mail kept
> reading and stumbled upon this: "(...) using the recent module needs
> dovecotto close the connection upon authentication failure, as iptables only
> (normally) comes in to play for new connections (...)".
>
> So, yeah, my suggestion probably won't work.
>
> On Fri, Aug 26, 2011 at 09:15, Felipe Scarel<fbscarel at gmail.com>  wrote:
>
>> Alex, I've not personally done it (so just speculating here, bear with me)
>> but you can customize Fail2Ban's actions if needed. So, if you can match the
>> attemps through some regex (and since you're seeing them in the logs, that
>> should be quite possible), then you can edit one of the 'actions' to drop
>> the connection for<ip>.
>>
>> I'm just not entirely sure that iptables (or pf, or whatever firewall
>> you've got) can do it to active connections, 'cause that problem hasn't
>> arised for me so far.
>>
>>
>> On Fri, Aug 26, 2011 at 06:14, Alex<alex at ahhyes.net>  wrote:
>>
>>> I am happy to recompile if there is no config option. I gather it's in the
>>> src/auth dir somewhere in one of the C source files. Just need to be pointed
>>> in the right dir.
>>>
>>>
>>> On Fri, 26 Aug 2011 19:07:08 +1000, Alex wrote:
>>>
>>>> 3 minutes! I think that's too long, how can I drop that down to about
>>>> 45 seconds?
>>>>
>>>>
>>>> On Fri, 26 Aug 2011 11:44:45 +0300, Timo Sirainen wrote:
>>>>
>>>>> On 26.8.2011, at 10.25, Alex wrote:
>>>>>
>>>>>   Running Dovecot 2 on my server. It is regularly getting dictionary auth
>>>>>> attacked. What I have noticed is that once connected to a pop3/imap login
>>>>>> session, you can send endless incorrect usernames+passwords attempts. This
>>>>>> is a problem for me... I use fail2ban to try and stop these script kiddies.
>>>>>> The problem is that fail2ban detects the bad auths, firewalls the IP,
>>>>>> however, since it's an "established" session, the attacker can keep authing
>>>>>> away... It's only on a subsequent (new) connection that the firewalling will
>>>>>> take effect.
>>>>>>
>>>>> Umm. If client hasn't managed to log in in 3 minutes, it's
>>>>> disconnected (no matter what it does with the connection).
>>>>>

-- 
<http://www.horoa.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: a_chapellon.vcf
Type: text/x-vcard
Size: 373 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20110826/aa5a801f/attachment-0002.vcf>


More information about the dovecot mailing list