[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Dovecot configuration issues for IMAP/POP3 (squeeze)

Le 18/11/2012 16:34, David Guntner a écrit :
> Thanks to those who pointed me in that direction, I've now got
> Dovecot running on my test system.  However, I've got some issues
> that I'm hoping someone here can help out with.  I did a bunch of
> googling to find some of what I needed, but I'm not sure how to
> adjust things at this point (and some stuff I couldn't find).
> For anti-abuse purposes on a number of services, I use fail2ban,
> which needs to read from log files.  So far, so good.
> I've discovered, somewhat to my dismay, that Dovecot will just sit
> there and cheerfully let you keep making attempts to login - even
> after I had put in 7 bad entries, it still left the connection open
> to keep on trying.  That really doesn't help legitimate mail
> programs that had a bad password put in by mistake, but it does
> help scripts/bots that are trying a brute-force attack.  So for
> part one of my current problem, is there an option that can be put
> into the config file to tell it to disconnect after {x} bad login
> attempts?

see http://wiki.dovecot.org/MainConfig

the value is doubled after every bad attempt (from a given IP), until
a limit is reached (15 seconds).

> Part 2 of my current problem has to do with the actual logging of
> the bad login attempts.  It wasn't doing it at first, but then I
> did find the auth_verbose option to allow for the logging of bad
> attempts.  I turned that on - and to my dismay, found that the log
> entry it produces is pretty much useless for something that
> fail2ban can hook into.  If you login successfully or log  out
> yourself after bad attempts, it says "imap-login" or "pop3-login"
> (which *would* be something that fail2ban can use).  However, with
> auth_verbose=yes, the bad attempts are all prefaced with
> "auth-worker(default)" for either type of connection. This is
> useless for fail2ban purposes, for reasons which should be pretty
> obvious. :-)  So - is there a way to get auth_verbose to show which
> service (IMAP/POP3) is being accessed?

why care? why not consider that {pop3+imap} is a single service group?
after all, they're using the same logins/passwords, no?

Reply to: