Slightly advanced, but note that you CAN block in progress connections
using iptables
What is happening is that the usual top (ish) rule in your iptable
script says something like continue if connection established, this
can be seen as a performance optimisation to avoid running your full
Hi Guys,
Running Dovecot 2 on my server. It is regularly getting dictionary auth
attacked. What I have noticed is that once connected to a pop3/imap
login session, you can send endless incorrect usernames+passwords
attempts. This is a problem for me... I use fail2ban to try and stop
these
Am 26.08.2011 09:25, schrieb Alex:
Hi Guys,
Running Dovecot 2 on my server. It is regularly getting dictionary auth
attacked. What I have noticed is that once connected to a pop3/imap
login session, you can send endless incorrect usernames+passwords
attempts. This is a problem for me... I
message -
From: Robert Schetterer rob...@schetterer.org
Date: Fri, Aug 26, 2011 17:59
Subject: [Dovecot] limiting number of incorrect logins per connection
To: dovecot@dovecot.org
Am 26.08.2011 09:25, schrieb Alex:
Hi Guys,
Running Dovecot 2 on my server. It is regularly getting dictionary auth
On 26.8.2011, at 10.25, Alex wrote:
Running Dovecot 2 on my server. It is regularly getting dictionary auth
attacked. What I have noticed is that once connected to a pop3/imap login
session, you can send endless incorrect usernames+passwords attempts. This is
a problem for me... I use
3 minutes! I think that's too long, how can I drop that down to about
45 seconds?
On Fri, 26 Aug 2011 11:44:45 +0300, Timo Sirainen wrote:
On 26.8.2011, at 10.25, Alex wrote:
Running Dovecot 2 on my server. It is regularly getting dictionary
auth attacked. What I have noticed is that once
I am happy to recompile if there is no config option. I gather it's in
the src/auth dir somewhere in one of the C source files. Just need to be
pointed in the right dir.
On Fri, 26 Aug 2011 19:07:08 +1000, Alex wrote:
3 minutes! I think that's too long, how can I drop that down to about
45
Alex, I've not personally done it (so just speculating here, bear with me)
but you can customize Fail2Ban's actions if needed. So, if you can match the
attemps through some regex (and since you're seeing them in the logs, that
should be quite possible), then you can edit one of the 'actions' to
Yeah, I had read about half of that thread, and after I sent my mail kept
reading and stumbled upon this: (...) using the recent module needs
dovecotto close the connection upon authentication failure, as iptables only
(normally) comes in to play for new connections (...).
So, yeah, my suggestion
fail2ban will work as soon as dovecot have closed a none-authenticated
connection: 3mins-180sec
If tarpit delay for auth failures in a connection is set to 15s (which
seems to be the default unless i missunderstood) this let an
attackers only 12 tries (at most) before IP gets blacklisted by
On Fri, Aug 26, 2011 at 10:14 AM, Alexandre Chapellon a.chapel...@horoa.net
wrote:
fail2ban will work as soon as dovecot have closed a none-authenticated
connection: 3mins-180sec
If tarpit delay for auth failures in a connection is set to 15s (which
seems to be the default unless i
On 26.8.2011, at 18.27, Allan Cassaro wrote:
If you substitute (create a wrap to) the imap-login binary with an script?
The script can create a fail attempt/ip file into home dir and return ok
or not to dovecot main process based on this information.
imap-login is typically chrooted and
login-common/client-common.h :
#define CLIENT_LOGIN_TIMEOUT_MSECS (MASTER_LOGIN_TIMEOUT_SECS*1000)
So set it to (45*60*1000)
But I don't think there's much of a practical difference between these.
On 26.8.2011, at 12.07, Alex wrote:
3 minutes! I think that's too long, how can I drop that
mentioned, I see
someone devised a small patch in c to add this functionality. It didnt look
like a lot of code to do it. What are your thoughts?
- Reply message -
From: Timo Sirainen t...@iki.fi
Date: Sat, Aug 27, 2011 02:30
Subject: [Dovecot] limiting number of incorrect logins per
14 matches
Mail list logo