Op 21 jul 2010, om 15:06 heeft Leonardo Rodrigues het volgende geschreven:
> Em 21/07/2010 09:18, Timo Sirainen escreveu: >> >> I think this is one of the tons of different possible password policies >> and isn't really Dovecot's job. It really should be enforced while >> setting the password, not while checking it. >> >> > > i completly agree that dovecot is not the place for enforcing password > policies nor checking them. > > but, still on the subject, maybe dovecot could have some features for > helping sysadmins to avoid/mitigate brute-force attacks. As told, some bots > tries username=password, but those fuckers (the bots) also tries lots of > common passwords, 123, 1234, the username followed by some numbers, and lots > of others. > > of course, if the provided password is not correct, dovecot denies access > as it should .... but in those situations, logs can get pretty filled with > login failed messages, specially on servers with lots of accounts. And, in > some cases, after lots of tries, the bot can found the correct > username/password combination. > > i was thinking on something like ... > > 1) after N tries (lets say 10 for example) of wrong username/password > combinations, dovecot could start delaying the answers for wrong > authentications coming from that specific IP address or IP/username, thus > slowing down the brute-force attacks; > 1.1) or even, after some M (lets say 20 for example) wrong username/password > combinations, dovecot could ban that IP address (or IP address/username > combination to avoid problem with big networks with NAT access) for XX > seconds/minutes, also slowing down the brute-force attack tries > 1.2) this could probably be implemented using some in-memory internal > backend, so it would be absolutely independent on passdb schema and would > require no modifications on passdb schema. > > the original message says about bot brute-force attacks, but we can be > facing REAL brute-force attacks against a specific account .... and i think > that some features to help mitigate those could indeed be interesting. And if > those features exists, they could surely help on those brute-force attacks > coming from dumb bots as well. > > it wont solve the username=password specific case, but could help on real > or bot brute-force attacks. > > what do you think on that Timo ? Have a look at fail2ban, this is exactly what you need. > > > -- > > > Atenciosamente / Sincerily, > Leonardo Rodrigues > Solutti Tecnologia > http://www.solutti.com.br > > Minha armadilha de SPAM, NÃO mandem email > gertru...@solutti.com.br > My SPAMTRAP, do not email it > > > > YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
