Thanks for that. I will change it and recompile. Sorry for the grumpyness
yesterday in my posts. Was having a bad day. Is there any chance of there being
an option on future versions that allow a number of failed auth attempts to be
specified before dropping the connection? The other thread you mentioned, I see
someone devised a small patch in c to add this functionality. It didnt look
like a lot of code to do it. What are your thoughts?
- Reply message -
From: "Timo Sirainen"
Date: Sat, Aug 27, 2011 02:30
Subject: [Dovecot] limiting number of incorrect logins per connection
To: "Alex"
Cc:
login-common/client-common.h :
#define CLIENT_LOGIN_TIMEOUT_MSECS (MASTER_LOGIN_TIMEOUT_SECS*1000)
So set it to (45*60*1000)
But I don't think there's much of a practical difference between these.
On 26.8.2011, at 12.07, Alex wrote:
> 3 minutes! I think that's too long, how can I drop that down to about 45
> seconds?
>
>
> On Fri, 26 Aug 2011 11:44:45 +0300, Timo Sirainen wrote:
>> On 26.8.2011, at 10.25, Alex wrote:
>>
>>> Running Dovecot 2 on my server. It is regularly getting dictionary auth
>>> attacked. What I have noticed is that once connected to a pop3/imap login
>>> session, you can send endless incorrect usernames+passwords attempts. This
>>> is a problem for me... I use fail2ban to try and stop these script kiddies.
>>> The problem is that fail2ban detects the bad auths, firewalls the IP,
>>> however, since it's an "established" session, the attacker can keep authing
>>> away... It's only on a subsequent (new) connection that the firewalling
>>> will take effect.
>>
>> Umm. If client hasn't managed to log in in 3 minutes, it's
>> disconnected (no matter what it does with the connection).
>