[Dovecot] limiting number of login attempts from same ip

Duane Hill duane at duanemail.org
Fri Jun 10 13:06:22 EEST 2011


Friday, June 10, 2011, 4:22:26 AM, Jürgen wrote:

> Hello,

> is it possible to limit the number of pop3 (or imap) login attempts  
> from one IP with dovecot to stop attackers? We recently had an attack
> from one IP-address lasting 50 minutes that tried 50000 pop3-logins  
> with guessed users and passwords. I know about Fail2Ban but really  
> would prefer an easy to configure solution inside of dovecot. Dovecot
> has this anvil daemon, can it be used for that purpose?

> We use dovcot version 2.0.12 under Solaris 10, the pop3-login part of
> the configuration looking like that:

> service pop3-login {
>    chroot = login
>    client_limit = 0
>    drop_priv_before_exec = no
>    executable = pop3-login
>    extra_groups =
>    group =
>    idle_kill = 0
>    inet_listener pop3 {
>      address =
>      port = 110
>      ssl = no
>    }
>    inet_listener pop3s {
>      address =
>      port = 995
>      ssl = yes
>    }
>    privileged_group =
>    process_limit = 0
>    process_min_avail = 0
>    protocol = pop3
>    service_count = 1
>    type = login
>    user = $default_login_user
>    vsz_limit = 64 M
> }

You can thwart (to some degree) failed login attempts by increasing
auth_failure_delay. I currently have the parameter set at 5 seconds.
Its default is 2 seconds.

I also have set auth_verbose = yes and auth_verbose_passwords = sha1
and have a cron job set up to search the logs for the day before using:

    bzegrep -i 'password.mismatch' /var/log/maillog.0.bz2

I get an email message showing the failed login attempts from the
previous day.

Someone else suggested using fail2ban which is good. I have sshguard
set up myself.

-- 
Best regards,
 Duane                            mailto:duane at duanemail.org



More information about the dovecot mailing list