On Fri, 2011-06-10 at 11:22 +0200, Jürgen Obermann wrote:
Hello,
is it possible to limit the number of pop3 (or imap) login attempts
from one IP with dovecot to stop attackers? We recently had an attack
from one IP-address lasting 50 minutes that tried 50000 pop3-logins
with guessed users and passwords. I know about Fail2Ban but really
would prefer an easy to configure solution inside of dovecot. Dovecot
has this anvil daemon, can it be used for that purpose?
We use dovcot version 2.0.12 under Solaris 10, the pop3-login part of
the configuration looking like that:
With v2.0 it was already limiting. It increased each login failure delay
to 15 seconds before the failure was reported. Although maybe something
wasn't working correctly, because 50k hits is more than I think should
have been possible. Assuming you have default_process_limit=100
(default), there should have been a maximum of 20k attempts (100
processes / 15 seconds * 60*50 seconds).
Hmm. Maybe instead of simply increasing the failure delay, the IP could
be disconnected immediately?
We had set default_process_limit=2000. I think this was necessary
during testing the high-security mode and I forgot to set it back to
100 again after switching back to high-perfomance mode
(http://wiki2.dovecot.org/LoginProcess). But even 20k attempts in 50
minutes (or 6 per second) would habe been to much for one real person.
The attack would have taken about 2 hours instead of nearly one.
I admit that fail2ban can stop this attack, but we have solaris and
not linux and therefore the actions fail3ban wants to start are not
available.
Greetings, Juergen
--
Hochschulrechenzentrum der | Mail: [email protected]
Justus-Liebig-Universitaet | WWW: http://www.uni-giessen.de/obermann/
Heinrich-Buff-Ring 44 | Tel: 0641-99-13054 (0641-99-13001)
D-35392 Giessen, Germany | Fax: 0641-99-13009
