[Dovecot] How to limit max number of connections for ip address

Wilberth Perez wilberth.perez at uady.mx
Fri Feb 24 17:07:20 EET 2012


Hi Timo:

My question was because constantly we received brute force attack from
some of ip address which uses pop3 service to affect dovecot's login
proccess.

For example:


Error: Temporary failure in creating login processes, slowing down for now
pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<admin>,
method=PLAIN, rip=A.B.C.D, Info: Aborted login (auth failed, 1
attempts): user=<useradmin>, method=PLAIN, rip=A.B.C.D, lip=X.Y.Z.A
pop3-login: Info: Aborted login (auth failed, 1 attempts):
user=<admin123>, method=PLAIN, rip=A.B.C.D, lip=X.Y.Z.A
pop3-login: Info: Aborted login (auth failed, 1 attempts):
user=<administrator>, method=PLAIN, rip=A.B.C.D, lip=X.Y.Z.A
pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<adm>,
method=PLAIN, rip=A.B.C.D, lip=X.Y.Z.A
auth(default): Info: shadow(best,A.B.C.D): unknown user
dovecot: Error: pipe() failed: Too many open files
dovecot: Error: Temporary failure in creating login processes, slowing
down for now


In the log above from dovecto.log file, we observed a lot of conections
from IP address A.B.C.D to our email server with ip address X.Y.Z.A
using pop3 login process.


Is possible prevent this type of attacks with any dovecot option (maybe
limit the number of max connections from one ip address or maybe
upgrading my dovecot version)?

Thanks for you help and time.

Wilberth.

El 23/02/2012 05:21 p.m., Timo Sirainen escribió:
> On 24.2.2012, at 0.33, Wilberth Perez wrote:
> 
>> Does any one , knows if is possible configure dovecot for limit max
>> number of connections for IP address?
>>
>> I would  like to prevent future fork-bombing attacks for pop3 and imap
>> login process in my email server.
>>
>> Our dovecot version is : 1.2.10
> 
> There is mail_max_userip_connections setting which limits IP+username combination. Typically that should be enough to prevent fork bombing, because users normally don't have more than one account.
> 
> Or you mean when some IP keeps connecting even without actually loggin in? http://wiki.dovecot.org/LoginProcess has some settings related to this, which should normally be quite helpful if the limits are right.
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2570 bytes
Desc: Firma criptogr??fica S/MIME
URL: <http://dovecot.org/pipermail/dovecot/attachments/20120224/519a0eae/attachment-0004.bin>


More information about the dovecot mailing list