A quick test confirms that HAproxy header IP information does properly
delay the authentication failures upon successive failed login attempts
from the same IP.
And furthermore if the webmail client is delayed on the IMAP level, this
could potentially be exploited for DoS and as such may not be a good
idea after all. Even with the auth_failure_delay=2 by default this is
possible, but it's much easier to achieve the DoS if the pre-auth delay
increases to 17 seconds (maximum delay I've observed).
Is there any other brute force / DoS mitigation option for dovecot /
webmail interaction, short of fail2ban type IP blocking in a firewall
(which will not work on a machine several layers deep behind e.g. a
proxy), that isn't exclusively relying on the webmail client for such
mitigation?
Can dovecot itself temp-ban remote IPs (as reported by HAproxy protocol,
or IMAP ID x-originating-ip), perhaps with a notice to try again in X
seconds, instead of delaying them?
/Tobias
On 2016-06-24 13:27, Tobias wrote:
The wiki states that anvil's authentication penalties are skipped when
IP is in login_trusted_networks.
http://wiki.dovecot.org/Authentication/Penalty
Is there a way to enable the authentication penalties for specific
advertised remote IPs, when the connecting IP is in
"login_trusted_networks", and it advertises the originating remote IP
via 'ID ("x-originating-ip", "<remote-ip>")'?
And with regards to HAproxy, is anvil's authentication penalties by
default transparent with regards to the remote IP advertised in the
proxy protocol header?
/Tobias
