Re: [Dovecot] Limit login attempts per connection?

Tony Nelson Sun, 07 Mar 2010 22:07:48 -0800

On 10-03-04 23:43:25, Tony Nelson wrote:
> On 10-03-04 20:22:15, Frank Cusack wrote:
> > On 3/4/10 6:42 PM -0500 Tony Nelson wrote:
> > > Looking at the source, I see that there are no options.  It
> > > tarpits a bit, but currently has no limit on the number of 
> > > attempts.  I'll see what I can do.
> > 
> > I think it's a brilliant idea.  After one login attempt, all others
> > on the same connection should fail.
> 
> A fan!  Anyway, there should at least be a choice.  Not that I've
> coded a choice, just a dumb patch -- see attachment.  It's a bit of a
> compromise, with a hard-coded limit of 4 attempts.  Maybe I'll lower
> it to 2.


New patch with conf file setting "max_auth_attempts".  The default is 0 
and means no limit; non-zero disconnects after that many login 
failures.  I put it in the main area of the conf file, but IIUC it 
should also work in the pop3 or imap sections and only affect that 
server.  It doesn't affect the tarpitting.

When using it with an IPTables "recent" module rule, set it to 1.
 
-- 
____________________________________________________________________
TonyN.:'                       <mailto:tonynel...@georgeanelson.com>
      '                              <http://www.georgeanelson.com/>

diff -ur dovecot-1.2.10.orig/dovecot-example.conf dovecot-1.2.10/dovecot-example.conf
--- dovecot-1.2.10.orig/dovecot-example.conf	2010-03-07 02:05:08.000000000 -0500
+++ dovecot-1.2.10/dovecot-example.conf	2010-03-08 00:51:30.000000000 -0500
@@ -47,6 +47,11 @@
 # connection is considered secure and plaintext authentication is allowed.
 #disable_plaintext_auth = no
 
+# Limit the number of failed authentication attempts per connection.  0
+# means no limit.  Tarpitting by 5 seconds more each failure is not
+# affected.
+#max_auth_attempts = 0
+
 # Should all IMAP and POP3 processes be killed when Dovecot master process
 # shuts down. Setting this to "no" means that Dovecot can be upgraded without
 # forcing existing client connections to close (although that could also be
diff -ur dovecot-1.2.10.orig/dovecot-example.conf.default-settings dovecot-1.2.10/dovecot-example.conf.default-settings
--- dovecot-1.2.10.orig/dovecot-example.conf.default-settings	2010-03-07 02:05:08.000000000 -0500
+++ dovecot-1.2.10/dovecot-example.conf.default-settings	2010-03-08 01:03:53.000000000 -0500
@@ -51,6 +51,11 @@
 # connection is considered secure and plaintext authentication is allowed.
 #disable_plaintext_auth = yes
 
+# Limit the number of failed authentication attempts per connection.  0
+# means no limit.  Tarpitting by 5 seconds more each failure is not
+# affected.
+#max_auth_attempts = 0
+
 # Should all IMAP and POP3 processes be killed when Dovecot master process
 # shuts down. Setting this to "no" means that Dovecot can be upgraded without
 # forcing existing client connections to close (although that could also be
diff -ur dovecot-1.2.10.orig/src/imap-login/client-authenticate.c dovecot-1.2.10/src/imap-login/client-authenticate.c
--- dovecot-1.2.10.orig/src/imap-login/client-authenticate.c	2010-01-24 18:14:17.000000000 -0500
+++ dovecot-1.2.10/src/imap-login/client-authenticate.c	2010-03-08 00:41:46.000000000 -0500
@@ -266,6 +266,7 @@
 	const char *msg;
 	size_t data_len;
 	bool nodelay;
+	extern unsigned int max_auth_attempts;
 
 	i_assert(!client->destroyed ||
 		 reply == SASL_SERVER_REPLY_AUTH_ABORTED ||
@@ -286,8 +287,12 @@
 		if (client->to_auth_waiting != NULL)
 			timeout_remove(&client->to_auth_waiting);
 		if (args != NULL) {
-			if (client_handle_args(client, args, FALSE, &nodelay))
+			if (client_handle_args(client, args, FALSE, &nodelay)) {
+				/*GAN 04Mar10  restrict auth attempts */
+				if (max_auth_attempts && client->common.auth_attempts >= max_auth_attempts)
+					client_destroy(client, "Too many auth attempts.");
 				break;
+			}
 		}
 
 		if (reply == SASL_SERVER_REPLY_AUTH_ABORTED)
@@ -298,8 +303,12 @@
 			msg = t_strconcat("NO [ALERT] ", data, NULL);
 		client_send_tagline(client, msg);
 
-		if (!client->destroyed)
+		if (!client->destroyed) {
+			/*GAN 04Mar10  restrict auth attempts */
+			if (max_auth_attempts && client->common.auth_attempts >= max_auth_attempts)
+				client_destroy(client, "Too many auth attempts.");
 			client_auth_failed(client, nodelay);
+		}
 		break;
 	case SASL_SERVER_REPLY_MASTER_FAILED:
 		if (data == NULL)
diff -ur dovecot-1.2.10.orig/src/login-common/main.c dovecot-1.2.10/src/login-common/main.c
--- dovecot-1.2.10.orig/src/login-common/main.c	2010-01-24 18:14:17.000000000 -0500
+++ dovecot-1.2.10/src/login-common/main.c	2010-03-08 00:41:46.000000000 -0500
@@ -29,6 +29,7 @@
 unsigned int login_process_uid;
 struct auth_client *auth_client;
 bool closing_down, capability_string_overridden;
+unsigned int max_auth_attempts;
 
 static const char *process_name;
 static struct ioloop *ioloop;
@@ -360,6 +361,10 @@
 			capability_string_overridden = TRUE;
 	}
 
+	/*GAN 06Mar10  restrict auth attempts */
+	value = getenv("MAX_AUTH_ATTEMPTS");
+	max_auth_attempts = value == NULL ? 0 : strtoul(value, NULL, 10);
+
         closing_down = FALSE;
 	main_refcount = 0;
 
diff -ur dovecot-1.2.10.orig/src/master/login-process.c dovecot-1.2.10/src/master/login-process.c
--- dovecot-1.2.10.orig/src/master/login-process.c	2010-03-07 02:05:08.000000000 -0500
+++ dovecot-1.2.10/src/master/login-process.c	2010-03-08 00:41:46.000000000 -0500
@@ -649,6 +649,9 @@
 				    set->login_trusted_networks, NULL));
 	}
 	env_put(t_strconcat("LOGIN_DIR=", set->login_dir, NULL));
+
+	env_put(t_strdup_printf("MAX_AUTH_ATTEMPTS=%u",
+		set->max_auth_attempts));		/*GAN 06Mar10  restrict auth attempts */
 }
 
 static pid_t create_login_process(struct login_group *group)
diff -ur dovecot-1.2.10.orig/src/master/master-settings.c dovecot-1.2.10/src/master/master-settings.c
--- dovecot-1.2.10.orig/src/master/master-settings.c	2010-03-07 02:05:08.000000000 -0500
+++ dovecot-1.2.10/src/master/master-settings.c	2010-03-08 00:41:46.000000000 -0500
@@ -197,6 +197,8 @@
 	MEMBER(nfs_check) TRUE,
 	MEMBER(version_ignore) FALSE,
 
+	MEMBER(max_auth_attempts) 0,		/*GAN 06Mar10  restrict auth attempts */
+
 	/* login */
 	MEMBER(login_dir) "login",
 	MEMBER(login_executable) NULL,
diff -ur dovecot-1.2.10.orig/src/master/master-settings.c.default-settings dovecot-1.2.10/src/master/master-settings.c.default-settings
--- dovecot-1.2.10.orig/src/master/master-settings.c.default-settings	2010-03-07 02:05:08.000000000 -0500
+++ dovecot-1.2.10/src/master/master-settings.c.default-settings	2010-03-08 00:41:46.000000000 -0500
@@ -197,6 +197,8 @@
 	MEMBER(nfs_check) TRUE,
 	MEMBER(version_ignore) FALSE,
 
+	MEMBER(max_auth_attempts) 0,		/*GAN 06Mar10  restrict auth attempts */
+
 	/* login */
 	MEMBER(login_dir) "login",
 	MEMBER(login_executable) NULL,
diff -ur dovecot-1.2.10.orig/src/master/master-settings-defs.c dovecot-1.2.10/src/master/master-settings-defs.c
--- dovecot-1.2.10.orig/src/master/master-settings-defs.c	2010-03-07 02:05:08.000000000 -0500
+++ dovecot-1.2.10/src/master/master-settings-defs.c	2010-03-08 00:41:46.000000000 -0500
@@ -35,6 +35,8 @@
 	DEF_BOOL(nfs_check),
 	DEF_BOOL(version_ignore),
 
+	DEF_INT(max_auth_attempts),		/*GAN 06Mar10  restrict auth attempts */
+
 	/* login */
 	DEF_STR(login_dir),
 	DEF_STR(login_executable),
diff -ur dovecot-1.2.10.orig/src/master/master-settings.h dovecot-1.2.10/src/master/master-settings.h
--- dovecot-1.2.10.orig/src/master/master-settings.h	2010-03-07 02:05:08.000000000 -0500
+++ dovecot-1.2.10/src/master/master-settings.h	2010-03-08 00:41:46.000000000 -0500
@@ -50,6 +50,8 @@
 	bool nfs_check;
 	bool version_ignore;
 
+	unsigned int max_auth_attempts;		/*GAN 06Mar10  restrict auth attempts */
+
 	/* login */
 	const char *login_dir;
 	const char *login_executable;
diff -ur dovecot-1.2.10.orig/src/pop3-login/client-authenticate.c dovecot-1.2.10/src/pop3-login/client-authenticate.c
--- dovecot-1.2.10.orig/src/pop3-login/client-authenticate.c	2010-01-24 18:14:17.000000000 -0500
+++ dovecot-1.2.10/src/pop3-login/client-authenticate.c	2010-03-08 00:41:46.000000000 -0500
@@ -227,6 +227,7 @@
 	const char *msg;
 	size_t data_len;
 	bool nodelay;
+	extern unsigned int max_auth_attempts;
 
 	i_assert(!client->destroyed ||
 		 reply == SASL_SERVER_REPLY_AUTH_ABORTED ||
@@ -244,8 +245,12 @@
 	case SASL_SERVER_REPLY_AUTH_FAILED:
 	case SASL_SERVER_REPLY_AUTH_ABORTED:
 		if (args != NULL) {
-			if (client_handle_args(client, args, FALSE, &nodelay))
+			if (client_handle_args(client, args, FALSE, &nodelay)) {
+				/*GAN 04Mar10  restrict auth attempts */
+				if (max_auth_attempts && client->common.auth_attempts >= max_auth_attempts)
+					client_destroy(client, "Too many auth attempts.");
 				break;
+			}
 		}
 
 		if (reply == SASL_SERVER_REPLY_AUTH_ABORTED)
@@ -256,8 +261,12 @@
 			msg = t_strconcat("-ERR ", data, NULL);
 		client_send_line(client, msg);
 
-		if (!client->destroyed)
+		if (!client->destroyed) {
+			/*GAN 04Mar10  restrict auth attempts */
+			if (max_auth_attempts && client->common.auth_attempts >= max_auth_attempts)
+				client_destroy(client, "Too many auth attempts.");
 			client_auth_failed(client, nodelay);
+		}
 		break;
 	case SASL_SERVER_REPLY_MASTER_FAILED:
 		if (data == NULL)

Re: [Dovecot] Limit login attempts per connection?

Reply via email to