Results 1 to 6 of 6
Thread: PAM authentation
Enjoy an ad free experience by logging in. Not a member yet? Register.
how can i protect dovect from dictionary attack, my Dovect server authenticate users from 389 server (LDAP). is there is any way to prevent a certain ip from making authentication after the third failure to 1 hour ?
Your 389 server should be configured appropriately for account lockouts. If you control the 389 server, have a look here: 7.1.*Managing the Password Policy. If you do not control the server, shame on your admin for not implementing account lockout policies.
Mudgen, Yes i mean dovecot.
nplusplus, Thank you for the link, it was useful, but i want to block the hacker IP from trying to connect to my dovecot server. hacker attack make dovecot process take 100% from server resources, and users could not work till i kill dovecot process and restart the service.
- Join Date
- Dec 2009
I do this on my server. There is a trick, though. You don't want to ban hosts from which a very small number of login failures were received or you'll risk banning legitimate users.
cat /var/log/secure |grep tty=docvecot | grep -v "rhost= " |sed -e "s/.*ffff://" -e "s/.*rhost=//" -e "s/ .*//" | sort |uniq -c |while read count ip
if [ $count -gt 5 ]
/sbin/iptables -I INPUT -s $ip -j DROP
denyhosts. Here's a thread that describes a Dovecot-specific regexp:
See the second regexp in post 4.
One thing to watch out for besides low thresholds (per abarclay): if you have a webmail server like Squirrelmail, the attempts will appear to come from 127.0.0.1, so someone banging on your webmail interface could lock out _everything_ trying to use localhost.
You can also do Dovecot attack protection with fail2ban.
Edit: Duh. You can put 127.0.0.1 in hosts.allow and avoid the lockout for Squirrelmail or the like, but of course you won't have denyhosts protection for it.
Last edited by Mudgen; 09-28-2011 at 10:40 PM.