[Dovecot] stopping dictionary attacks (pop3)
Noel
noeldude at gmail.com
Tue Sep 3 07:34:33 EEST 2013
On 9/2/2013 8:59 PM, other at ahhyes.net wrote:
> Hi Guys,
>
> I was really hoping a couple of years later this would be
> addressed... I'm running Dovecot 2.2.5 on FreeBSD.
>
> Is there anyway to limit the number of auth attempts allowed in a
> single session? The reason for this is because I have "fail2ban"
> setup to firewall out any IP addresses that repeatedly auth fails.
> The issue occurs when the connection is already in an
> "established" state and the attacker uses the existing session to
> hammer away, fail2ban becomes ineffective as dovecot appears to
> allow the person to attempt authentication ad infinitum.
>
> It would be nice if there was config option that would for example
> cause the software to close the connection after X failed
> attempts. I use "pf" as the firewall on FreeBSD.
The secret is the "pfctl -k IP" command to drop state for the
offending IP. Just add it to your fail2ban action command.
action = /sbin/pfctl {whatever you have now} && /sbin/pfctl -k <ip>
A nice writeup of fail2ban and pf can be found here:
http://www.effu.se/2011/03/Integrating-PF-with-Fail2ban-0.9
-- Noel Jones
More information about the dovecot
mailing list