On Mon, 13 Jun 2011, Timo Sirainen wrote:
With v2.0 it was already limiting. It increased each login failure delay
to 15 seconds before the failure was reported. Although maybe something
wasn't working correctly, because 50k hits is more than I think should
have been possible. Assuming you have default_process_limit=100
(default), there should have been a maximum of 20k attempts (100
processes / 15 seconds * 60*50 seconds).
I've also seen the reported type of dictionary attacks. Login failure
delay doesn't really help much for those... they just open numerous new
connections and only try 1 username/password on each connection. On one
server, that got me loads of messages like these in my logs:
Feb 13 00:40:46 poseidon kernel: TCP: drop open request from 64.73.242.138/1536
and
Feb 13 00:44:07 poseidon kernel: NET: 220 messages suppressed.
After being firewalled, it kept hammering on the pop3 port for 90 more
seconds, after which it probably found another door to hammer.
Although I wouldn't really mind if dovecot can be setup to handle this
"gracefully" but I'd say this is a more generic problem that is better
solved at network level than within dovecot. (So it can be used for other
services as well.)
--
Maarten
