Thanks for that. I will change it and recompile. Sorry for the grumpyness yesterday in my posts. Was having a bad day. Is there any chance of there being an option on future versions that allow a number of failed auth attempts to be specified before dropping the connection? The other thread you mentioned, I see someone devised a small patch in c to add this functionality. It didnt look like a lot of code to do it. What are your thoughts?
----- Reply message ----- From: "Timo Sirainen" <t...@iki.fi> Date: Sat, Aug 27, 2011 02:30 Subject: [Dovecot] limiting number of incorrect logins per connection To: "Alex" <a...@ahhyes.net> Cc: <dovecot@dovecot.org> login-common/client-common.h : #define CLIENT_LOGIN_TIMEOUT_MSECS (MASTER_LOGIN_TIMEOUT_SECS*1000) So set it to (45*60*1000) But I don't think there's much of a practical difference between these. On 26.8.2011, at 12.07, Alex wrote: > 3 minutes! I think that's too long, how can I drop that down to about 45 > seconds? > > > On Fri, 26 Aug 2011 11:44:45 +0300, Timo Sirainen wrote: >> On 26.8.2011, at 10.25, Alex wrote: >> >>> Running Dovecot 2 on my server. It is regularly getting dictionary auth >>> attacked. What I have noticed is that once connected to a pop3/imap login >>> session, you can send endless incorrect usernames+passwords attempts. This >>> is a problem for me... I use fail2ban to try and stop these script kiddies. >>> The problem is that fail2ban detects the bad auths, firewalls the IP, >>> however, since it's an "established" session, the attacker can keep authing >>> away... It's only on a subsequent (new) connection that the firewalling >>> will take effect. >> >> Umm. If client hasn't managed to log in in 3 minutes, it's >> disconnected (no matter what it does with the connection). >
