Hi, using PAM, how can I configure how many attempts a user can make to connect, and if exceeding a certain number, block him for a specified amount of time? Any idea what the defaults are?
On 06/03/2010 12:55 PM Greg Pearson wrote:> Hi, > using PAM, how can I configure how many attempts a user can make to > connect, and if exceeding a certain number, block him for a specified > amount of time? > > Any idea what the defaults are?You could use fail2ban, see also: http://wiki.dovecot.org/HowTo/Fail2Ban Regards, Pascal -- The trapper recommends today: f007ba11.1015412 at localdomain.org
> You could use fail2ban, see also: http://wiki.dovecot.org/HowTo/Fail2BanSo I guess the result would be to the login process become unresponsive, right? I am not sure this would be what I want. The desired behaviour for me would be to reject the connection even if the password becomes correct after several failures. I realise this would not help under DoS scenarios (in which I think fail2ban is targetting). I will give it a try, of course, but I was wondering if another approach is possible. Generally speaking, it would be really nice if Dovecot itself had such options.
On 06/03/2010 02:13 PM, Greg Pearson wrote:> The desired behaviour > for me would be to reject the connection even if the password becomes > correct after several failures.No. This is a bad idea. Anyone can easily DoS you if you go that route. -- Eray
On 06/03/2010 01:55 PM, Greg Pearson wrote:> using PAM, how can I configure how many attempts a user can make to > connect, and if exceeding a certain number, block him for a specified > amount of time?man 8 pam_tally man 8 pam_tally2> Any idea what the defaults are?Default is not to block -- Eray
On 6/3/2010 6:55 AM, Greg Pearson wrote:> Hi, > using PAM, how can I configure how many attempts a user can make to > connect, and if exceeding a certain number, block him for a specified > amount of time? > > Any idea what the defaults are?If pam make a log entry, then fail2ban will do whatever you want. Search fail2ban pam on google after installing fail2ban. Fail2ban requires python 2.4 or greater which your system should already have.