[Dovecot] Logging passwords on auth failure/dealing with botnets

Charles Marcus CMarcus at Media-Brokers.com
Mon Sep 2 16:35:11 EEST 2013


On 2013-09-02 4:12 AM, Stan Hoeppner <stan at hardwarefreak.com> wrote:
> As others have suggested this seems a log clutter issue, nothing more.

Well, it would be nice to have some way to stop brute force attacks 
(rather than just letting one run rampant until the attacker gives up) - 
ie, attempted FAILED logins to the same user account.

Maybe a two pronged approach...

1. A whitelist that whitelists IP+username for *successful* logins 
(maybe with a configurable age-out option) to prevent the real user from 
being locked out if accessing from an IP on the whitelist, and

2. A blacklist that when triggered (x failed login attempts in x 
seconds), doesn't try to block the IP, but rather prevents login 
attempts for that user account from even reaching the AUTH stage - 
*unless* the IP in question is in the whitelist.

The question is, where is this best dealt with - firewall (can fail2ban 
do anything like this?), or would it have to be done in dovecot?

-- 

Best regards,

*/Charles/*


More information about the dovecot mailing list