blob: dcbb3eaf9cbed8d651d7ec01a62e0fa412b3a8d2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
Authentication Penalty
======================
Dovecot anvil process tracks authentication penalties for different IPs to slow
down brute force login attempts. The algorithm works by:
* First auth failure reply will be delayed for 2 seconds (this happens even
without auth penalty)
* 'AUTH_PENALTY_INIT_SECS' in 'src/auth/auth-penalty.h'
* The delay will be doubled for 4 -> 8 seconds, and then the upper limit of 15
seconds is reached.
* 'AUTH_PENALTY_MAX_SECS' and AUTH_PENALTY_MAX_PENALTY in
'src/auth/auth-penalty.h'
* If the IP is in login_trusted_networks (e.g. webmail), skip any
authentication penalties
* If the username+password combination is the same as one of the last 10 login
attempts, skip increasing authentication penalty.
* 'CHECKSUM_VALUE_PTR_COUNT' in 'src/anvil/penalty.c'
* The idea is that if a user has simply configured the password wrong, it
shouldn't keep increasing the delay.
* The username+password is tracked as the CRC32 of them, so there is a
small possibility of hash collisions
Problems:
* It is still possible to do multiple auth lookups from the same IP in
parallel.
* For IPv6 it currently blocks the entire /48 block, which may or may not be
what is wanted.
* PENALTY_IPV6_MASK_BITS in auth-penalty.c
Authentication penalty tracking can be disabled completely with:
---%<-------------------------------------------------------------------------
service anvil {
unix_listener anvil-auth-penalty {
mode = 0
}
}
---%<-------------------------------------------------------------------------
Also you can have similar functionality with fail2ban
[http://wiki2.dovecot.org/HowTo/Fail2Ban].
(This file was created from the wiki on 2019-06-19 12:42)
|
