Ahoj, Dňa Thu, 30 Dec 2021 17:00:57 +0100 Nicolas JEAN via mailop <mailop@mailop.org> napísal:
> So I really want dovecot to know the originating IP for the _first_ > login attempt. I tried the proposed patch and it works, that mean the remote ip is set from first (login) request. That is indeed best solution. > Brute-force protection can also be achieved by fail2ban, as mentioned > by others. Bruteforcing from ONE host only, for distributed and/or slow attempts it is useless. But stopping password guess attempts is only part of defense, as password can be obtained by other ways too. > In such cases of fail2ban bypassing, having a second banning > mechanism can bring additional security, or peace of mind -- at least > it does for me. Moving protection from end apps to central auth service has many advantages. They includes two most important things: + one can define rules at one place and do not care what end apps supports or do not supports + one can count attempts to different service at one place That is exact job for dovecot's auth policy daemon, which can do a lot of things, not only IP based, but it can also work with user/password (hash) and distinguish between success, policy rejected and failed logins. The only part, which is missing for me, is that current dovecot's implementation cannot distinguish between not existent user and failed password, but it is not big problem. My policy daemon can not only block login for bad hosts, but it can eg. blacklist user, when success logins come from many different IP, which can indicate leaked password and thus minimize damage. regards -- Slavko https://www.slavino.sk
pgpeocGbz0gfj.pgp
Description: Digitálny podpis OpenPGP
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
