On 1 Jan 2008, at 21:22, Timo Sirainen wrote:
On Tue, 2008-01-01 at 15:59 -0500, Dean Brooks wrote:
Hi,
Is there a way, or can a way be added, to add an
"auth_failed_delay=10s"
style option that would put in an artificial delay after a failed
password attempt?
As it stands now, Dovecot seems highly vulnerable to widescale
brute-force password dictionary scans.
Even if it's not configurable, can a delay be hardcoded to something
like, say, 10 or 15 seconds?
Failed auth requests are put to a queue that's flushed every 2
seconds.
So there is already a delay. I don't think it's a good idea to
increase
it up from 2 seconds, it just gets annoying when you type the wrong
password accidentally.
Although I suppose I could change the code so that it always waits 2
seconds instead of flushing all of them.
Actually, a better method which would not inconvenience real users is
to have an accumalative delay, i.e. the first error has a 1 second
delay, the second 2 seconds, the third 4 seconds and so on. This
should tar-pit any brute force attack, at least until the script
kiddies just blast the server with a huge number of new connections to
do the job.
Steve
---------------------------------------------------------------------------
Computer Systems Administrator, E-Mail:[EMAIL PROTECTED]
Department of Earth Sciences, Tel:- +44 (0)1865
282110
University of Oxford, Parks Road, Oxford, UK. Fax:- +44 (0)1865
272072
