Re: OT: IMAP under attack

"Niels Dettenbach via Info" <info@xxxxxxxxxxxxxxxxxx> · Sat, 8 Jan 2022 17:23:29 +0100

Am 08.01.2022 um 15:46 schrieb Nic Bernstein <nic@xxxxxxxxxxxxxxxx>:

    On 1/8/22 08:34, Mikhail T. wrote:
On 08.01.22 09:12, Nic Bernstein
        wrote:
You
        should be interested in the 'failedloginpause' setting, which
        defaults to 3 seconds. 
I think, the request was for a progressively increasing
        pause -- doubling for each subsequent failure from the same IP
        and/or same account...
Is that currently possible?

    Ah, yes; you're right.  No, that's not currently possible with Cyrus
    itself.  There used to be a setting for POP logins which did this,
    but I think that's gone away.  Might be possible with a proxy, like
    Perdition, but I've not tried it.

        -nic

This doesn’t really makes much sense, because it could imply new DoS attack vectors while most DDoS attackes use long time windows per try per source IP (they easily have access to many thousands of source IPs to use). This is, why fail2ban should be used very (!) carefully on IMAP/POP3 (and SMTP login).

Its more important to avoid any „short“ and somewhere dictionary passwords. Additionally we avoid the very often applied behavior using email addresses one to one as usernames.

I know it may seem dangerous first time you see such attackes, but there are quite often at least at larger and/or older (longer established) hosts (i see it multiples times per month usually at some hosts which are mailservers since >20 yesrs now).

niels.
—Niels Dettenbach
https://www.syndicat.com
https://www.syndicat.com/pub_key.asc

Cyrus
  / Info / see
discussions
  +
participants
  +
delivery options
Permalink