[Dovecot] Logging passwords on auth failure/dealing with botnets

Charles Marcus CMarcus at Media-Brokers.com
Tue Sep 3 13:12:45 EEST 2013

On 2013-09-02 5:11 PM, Noel <noeldude at gmail.com> wrote:
> It would be a lot easier to deploy if some sort of blocker were
> built into dovecot -- after X number of failures during Y seconds,
> fail all future attempts for the account for T seconds.

But again, totally blocking all AUTH attempts like that even blocks 
valid attempts by the real user.

Having a whitelist that tracks valid user+IP logins would prevent that.

> Maybe reset the timer on each attempt during the blackout period so the timer
> never expires on the persistent distributed brute force attacks.  I
> suppose there would also need to be a way to whitelist IPs so the
> account owner can get in.

Ummm... maybe you didn't read what I wrote? That is what I meant by 
'whitelist' in item 1... ;)

On 2013-09-02 9:59 PM, other at ahhyes.net <other at ahhyes.net> wrote:
> Is there anyway to limit the number of auth attempts allowed in a 
> single session? The reason for this is because I have "fail2ban" setup 
> to firewall out any IP addresses that repeatedly auth fails.

Is there a way to tell fail2ban to block connection attempts NOT based 
on IP, but based on other values or value combinations (like user+IP)?

More information about the dovecot mailing list