Le 18/11/2012 16:34, David Guntner a écrit :
> Thanks to those who pointed me in that direction, I've now got
> Dovecot running on my test system. However, I've got some issues
> that I'm hoping someone here can help out with. I did a bunch of
> googling to find some of what I needed, but I'm not sure how to
> adjust things at this point (and some stuff I couldn't find).
>
> For anti-abuse purposes on a number of services, I use fail2ban,
> which needs to read from log files. So far, so good.
>
> I've discovered, somewhat to my dismay, that Dovecot will just sit
> there and cheerfully let you keep making attempts to login - even
> after I had put in 7 bad entries, it still left the connection open
> to keep on trying. That really doesn't help legitimate mail
> programs that had a bad password put in by mistake, but it does
> help scripts/bots that are trying a brute-force attack. So for
> part one of my current problem, is there an option that can be put
> into the config file to tell it to disconnect after {x} bad login
> attempts?
auth_failure_delay
see http://wiki.dovecot.org/MainConfig
http://www.dovecot.org/list/dovecot/2009-November/044262.html
the value is doubled after every bad attempt (from a given IP), until
a limit is reached (15 seconds).
>
> Part 2 of my current problem has to do with the actual logging of
> the bad login attempts. It wasn't doing it at first, but then I
> did find the auth_verbose option to allow for the logging of bad
> attempts. I turned that on - and to my dismay, found that the log
> entry it produces is pretty much useless for something that
> fail2ban can hook into. If you login successfully or log out
> yourself after bad attempts, it says "imap-login" or "pop3-login"
> (which *would* be something that fail2ban can use). However, with
> auth_verbose=yes, the bad attempts are all prefaced with
> "auth-worker(default)" for either type of connection. This is
> useless for fail2ban purposes, for reasons which should be pretty
> obvious. :-) So - is there a way to get auth_verbose to show which
> service (IMAP/POP3) is being accessed?
why care? why not consider that {pop3+imap} is a single service group?
after all, they're using the same logins/passwords, no?
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/50a93b14.2030...@ml.netoyen.net
