On 10-03-04 20:22:15, Frank Cusack wrote:
On 3/4/10 6:42 PM -0500 Tony Nelson wrote:
> Looking at the source, I see that there are no options. It tarpits
> a bit, but currently has no limit on the number of attempts. I'll
> see what I can do.
I think it's a brilliant idea. After one login attempt, all others
on the same connection should fail.
A fan! Anyway, there should at least be a choice. Not that I've coded
a choice, just a dumb patch -- see attachment. It's a bit of a
compromise, with a hard-coded limit of 4 attempts. Maybe I'll lower it
to 2.
--
____________________________________________________________________
TonyN.:' <mailto:[email protected]>
' <http://www.georgeanelson.com/>
--- dovecot-1.2.10/src/pop3-login/client-authenticate.c.limitauth 2010-01-24 18:14:17.000000000 -0500
+++ dovecot-1.2.10/src/pop3-login/client-authenticate.c 2010-03-04 23:08:07.000000000 -0500
@@ -21,6 +21,7 @@
#define POP3_SERVICE_NAME "pop3"
#define AUTH_FAILURE_DELAY_INCREASE_MSECS 5000
+#define AUTH_ATTEMPT_LIMIT 3
const char *capability_string = POP3_CAPABILITY_REPLY;
@@ -244,8 +245,12 @@
case SASL_SERVER_REPLY_AUTH_FAILED:
case SASL_SERVER_REPLY_AUTH_ABORTED:
if (args != NULL) {
- if (client_handle_args(client, args, FALSE, &nodelay))
+ if (client_handle_args(client, args, FALSE, &nodelay)) {
+ /*GAN 04Mar10 restrict auth attempts */
+ if (client->common.auth_attempts > AUTH_ATTEMPT_LIMIT)
+ client_destroy(client, "Too many auth attempts.");
break;
+ }
}
if (reply == SASL_SERVER_REPLY_AUTH_ABORTED)
@@ -256,8 +261,12 @@
msg = t_strconcat("-ERR ", data, NULL);
client_send_line(client, msg);
- if (!client->destroyed)
+ if (!client->destroyed) {
+ /*GAN 04Mar10 restrict auth attempts */
+ if (client->common.auth_attempts > AUTH_ATTEMPT_LIMIT)
+ client_destroy(client, "Too many auth attempts.");
client_auth_failed(client, nodelay);
+ }
break;
case SASL_SERVER_REPLY_MASTER_FAILED:
if (data == NULL)
