On Mon, 2007-03-19 at 19:46 -0700, Sean Kamath wrote:>
> Earlier today I was hit with 612 login attempts in 7 minutes. They
> ramped up slowly, too. :-)
>
> They quickly hit the file descriptor limit. And then a login server
> spawned and died so quickly that dovecot just died.
>
> My question is, is there a way to throttle the number of login
> connections? I'm doing it in my firewall now, but it would be nice
> to be able to say something like "max-login-attempts: X" before
we
> blacklist the IP (for some configurable time).
I think it's just simpler to configure your system to handle such
load. :) Give Dovecot enough file descriptors, or reduce the number of
allowed login processes / connections. See
http://wiki.dovecot.org/LoginProcess
Or are you using PAM? That could also be the problem since it forks new
processes, and authentication cache doesn't work very well with it
either.
http://dovecot.org/tools/imaptest.c is a nice tool to try stress testing
logins. Use it something like: imaptest user=dummy password=something
clients=100 - select=0
Some people want to limit number of connections coming to one user, so
this kind of blacklisting feature could be implemented at the same time.
Maybe for v2.0 or something..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20070321/223627ff/attachment.bin>