On 2007 Dec 20 (Thu) at 15:51:02 -0500 (-0500), Benjamin R. Haskell wrote:
> On Thu, 20 Dec 2007, Ben Cadieux wrote:
>
>> Hi Everyone,
>>
>> Before I begin, I'd just like to mention: I love dovecot. Thank you :)
>>
>> Anyway, today I had 8000 login attempts to my dovecot server in an
>> hour before blocking the IP with my firewall.
>>
>> After googling, I didn't see very much discussion on the topic. There
>> was some mention of blocksshd which was supposed to support dovecot in
>> the next release (but doesn't appear to) and also fail2ban. While a
>> script that parses logfiles will work, I'm not sure that this is the
>> best way to go about handling repeated authentication failure.
>>
>> Would it not be best built into dovecot? [...]
>>
>
> I'd vote "no", with the caveat that I don't use any of these tools.
>
> Parsing logfiles might make it more brittle, but it also allows the tool to
> protect many services in a generic way. I don't want to have to protect
> against DOS or dictionary attacks for Apache, VSFTP, dovecot, sshd,
> PostgreSQL, and whatever else in different config files. It'd be best to
> handle that one layer up. Doing it outside of dovecot even allows
> correlations to be made (e.g. ban sooner if the same IP is trying to break
> both SSH and FTP). Don't know if the tools *do* this, but still.
>
> That's my 2??,
> Ben Haskell
Except for the part where they stay connected forever, and keep
retrying logins. One tcp connection, so nothing for the network level
to look for.
--
The United States is like the guy at the party who gives cocaine to
everybody and still nobody likes him.
-- Jim Samuels
