In my log files I occasionally get a huge number of Dovecot authentication failures (see clip below). I wanted to know if there's a way to limit the number of times an IP address can attempt to authenticate, if there's a way to have a timeout between attempted authentications, or if there is a way to limit authentication attempts by a specific username within a certain period of time. My current solution is to permanently block the specific IP, an IP range, or an entire country from accessing my server AFTER I notice the huge number of authentication failures. This is too ad-hoc a process and was hoping dovecot has something more proactive built in. Thank you in advance for spending time considering this inquiry, Eric --------------------- pam_unix Begin ------------------------ dovecot: Authentication Failures: rhost=::ffff:200.111.39.219 : 764 Time(s) root: 25 Time(s) mysql: 6 Time(s) smmsp: 6 Time(s) --SNIP-- Unknown Entries: check pass; user unknown: 764 Time(s) ---------------------- pam_unix End ------------------------- --------------------- Connections (secure-log) Begin ------------------------ **Unmatched Entries** dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user info dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user info dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user info dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user info --SNIP--
On 2/19/2009, Eric B. Schorvitz, Ph.D. (eric at pmtechllc.com) wrote:> I wanted to know if there's a way to limit the number of times an IP address > can attempt to authenticate, if there's a way to have a timeout between > attempted authentications, or if there is a way to limit authentication > attempts by a specific username within a certain period of time.I think this is on the radar for being handled directly by dovecot, but for now, your best bet is something like fail2ban. The advantage of using fail2ban is it works with pretty much anything, not just one app... -- Best regards, Charles