[Dovecot] Logging passwords on auth failure/dealing with botnets

Noel noeldude at gmail.com
Tue Sep 3 00:11:49 EEST 2013


On 9/2/2013 8:35 AM, Charles Marcus wrote:
> 2. A blacklist that when triggered (x failed login attempts in x
> seconds), doesn't try to block the IP, but rather prevents login
> attempts for that user account from even reaching the AUTH stage -
> *unless* the IP in question is in the whitelist.
>
> The question is, where is this best dealt with - firewall (can
> fail2ban do anything like this?), or would it have to be done in
> dovecot?
>

I'm already using fail2ban to block IPs that have too many AUTH
failures.

Fail2ban is pretty flexible -- it watches the log and counts strings
you specify, then runs a command or script you specify.  If the
username is logged, I suppose it's possible to run something to
temporarily disable that user.

It would be a lot easier to deploy if some sort of blocker were
built into dovecot -- after X number of failures during Y seconds,
fail all future attempts for the account for T seconds.  Maybe reset
the timer on each attempt during the blackout period so the timer
never expires on the persistent distributed brute force attacks.  I
suppose there would also need to be a way to whitelist IPs so the
account owner can get in.


  -- Noel Jones


More information about the dovecot mailing list