Hi, Is there a way, or can a way be added, to add an "auth_failed_delay=10s" style option that would put in an artificial delay after a failed password attempt? As it stands now, Dovecot seems highly vulnerable to widescale brute-force password dictionary scans. Even if it's not configurable, can a delay be hardcoded to something like, say, 10 or 15 seconds? -- Dean Brooks dean at iglou.com
On Tue, 2008-01-01 at 15:59 -0500, Dean Brooks wrote:> Hi, > > Is there a way, or can a way be added, to add an "auth_failed_delay=10s" > style option that would put in an artificial delay after a failed > password attempt? > > As it stands now, Dovecot seems highly vulnerable to widescale > brute-force password dictionary scans. > > Even if it's not configurable, can a delay be hardcoded to something > like, say, 10 or 15 seconds?Failed auth requests are put to a queue that's flushed every 2 seconds. So there is already a delay. I don't think it's a good idea to increase it up from 2 seconds, it just gets annoying when you type the wrong password accidentally. Although I suppose I could change the code so that it always waits 2 seconds instead of flushing all of them. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20080101/e281fcce/attachment-0002.bin>
On Tue, 1 Jan 2008, Timo Sirainen wrote:> On Tue, 2008-01-01 at 15:59 -0500, Dean Brooks wrote: >> Hi, >> >> Is there a way, or can a way be added, to add an "auth_failed_delay=10s" >> style option that would put in an artificial delay after a failed >> password attempt? >> >> As it stands now, Dovecot seems highly vulnerable to widescale >> brute-force password dictionary scans. >> >> Even if it's not configurable, can a delay be hardcoded to something >> like, say, 10 or 15 seconds? > > Failed auth requests are put to a queue that's flushed every 2 seconds. > So there is already a delay. I don't think it's a good idea to increase > it up from 2 seconds, it just gets annoying when you type the wrong > password accidentally. >I'd think the increase in effort required for a dictionary attack would outweigh the infrequent inconvenience to valid users.> Although I suppose I could change the code so that it always waits 2 > seconds instead of flushing all of them. >Any reason that '2 seconds' couldn't be configurable (with a default of 2)? In my situation, I'm the only user of my system, and I use reasonably secure passwords, so brute-force doesn't really scare me. As a sysadmin at an ISP or company with (too-)lenient password requirements, on the other hand, it'd be nice to slow an attack by a larger factor. Best, Ben
On Tue, Jan 01, 2008 at 11:22:31PM +0200, Timo Sirainen wrote:> On Tue, 2008-01-01 at 15:59 -0500, Dean Brooks wrote: > > Is there a way, or can a way be added, to add an "auth_failed_delay=10s" > > style option that would put in an artificial delay after a failed > > password attempt? > > > > As it stands now, Dovecot seems highly vulnerable to widescale > > brute-force password dictionary scans. > > > > Even if it's not configurable, can a delay be hardcoded to something > > like, say, 10 or 15 seconds? > > Failed auth requests are put to a queue that's flushed every 2 seconds. > So there is already a delay. I don't think it's a good idea to increase > it up from 2 seconds, it just gets annoying when you type the wrong > password accidentally.I think the majority of Dovecot users would propose that 2 seconds is much too short, and that the annoyance of an occasional rare wrong password is of little concern given the high number of dictionary attacks occuring nowadays. This *really* needs to be configurable. For our site, I would probably set the delay to 15 seconds. Others might want it at the very low 2 seconds like you suggest. I suppose I could spend the development time to do this and then post my patch on the Wiki for everyone who needs it, but it seems like this would be better done in the official sources instead of requiring everyone to download a one-off patch. -- Dean Brooks dean at iglou.com
> Is there a way, or can a way be added, to add an "auth_failed_delay=10s" > style option that would put in an artificial delay after a failed > password attempt?> As it stands now, Dovecot seems highly vulnerable to widescale > brute-force password dictionary scans.> Even if it's not configurable, can a delay be hardcoded to something > like, say, 10 or 15 seconds?> -- > Dean Brooks > dean at iglou.comI recently installed an application called Fail2Ban (http://www.fail2ban.org), which scans log files and filters out failed login attempts. If a configurable number of failed attempts from the same IP is found, the IP is blocked out via iptables or hosts.deny for some time (default 10 minutes). Works pretty well for SSH, though I'm still waiting for the first attempt on my IMAP or SMTP ports ;-) So instead of letting a brute force attack continue at a slower pace, Fail2Ban locks out the attacking system for some time, while a legitimate user can mistype his password at least once or twice without penalty. If he continues to mistype his password, he probably deserves to wait ;-) If anyone want's to try it, a working fail2ban-regex for dovecot 1.05 and mysql is: failregex = Info: auth-worker\(default\): sql\(.*,<HOST>\): Password mismatch Info: auth-worker\(default\): sql\(.*,<HOST>\): unknown user Frank
On 1 Jan 2008, at 21:22, Timo Sirainen wrote:> On Tue, 2008-01-01 at 15:59 -0500, Dean Brooks wrote: >> Hi, >> >> Is there a way, or can a way be added, to add an >> "auth_failed_delay=10s" >> style option that would put in an artificial delay after a failed >> password attempt? >> >> As it stands now, Dovecot seems highly vulnerable to widescale >> brute-force password dictionary scans. >> >> Even if it's not configurable, can a delay be hardcoded to something >> like, say, 10 or 15 seconds? > > Failed auth requests are put to a queue that's flushed every 2 > seconds. > So there is already a delay. I don't think it's a good idea to > increase > it up from 2 seconds, it just gets annoying when you type the wrong > password accidentally. > > Although I suppose I could change the code so that it always waits 2 > seconds instead of flushing all of them. >Actually, a better method which would not inconvenience real users is to have an accumalative delay, i.e. the first error has a 1 second delay, the second 2 seconds, the third 4 seconds and so on. This should tar-pit any brute force attack, at least until the script kiddies just blast the server with a huge number of new connections to do the job. Steve --------------------------------------------------------------------------- Computer Systems Administrator, E-Mail:-steve at earth.ox.ac.uk Department of Earth Sciences, Tel:- +44 (0)1865 282110 University of Oxford, Parks Road, Oxford, UK. Fax:- +44 (0)1865 272072
On Tue, 1 Jan 2008, Dean Brooks wrote:> Hi, > > Is there a way, or can a way be added, to add an "auth_failed_delay=10s" > style option that would put in an artificial delay after a failed > password attempt? > > As it stands now, Dovecot seems highly vulnerable to widescale > brute-force password dictionary scans.But not if you secure access to Dovecot using e.g. fail2ban. Why is adding complexity to Dovecot better than using a dedicated tool? -- Asheesh. -- Kites rise highest against the wind -- not with it. -- Winston Churchill