This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.
Differences between revisions 5 and 6
Revision 5 as of 2013-11-28 10:23:41
Size: 1545
Editor: TimoSirainen
Revision 6 as of 2022-02-04 23:22:19
Size: 84
Editor: TimoSirainen
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= Authentication Penalty =

Dovecot anvil process tracks authentication penalties for different IPs to slow down brute force login attempts. The algorithm works by:

 * First auth failure reply will be delayed for 2 seconds (this happens even without auth penalty)
  * {{{AUTH_PENALTY_INIT_SECS}}} in {{{src/auth/auth-penalty.h}}}
 * The delay will be doubled for 4 -> 8 seconds, and then the upper limit of 15 seconds is reached.
  * {{{AUTH_PENALTY_MAX_SECS}}} and AUTH_PENALTY_MAX_PENALTY in {{{src/auth/auth-penalty.h}}}
 * If the IP is in login_trusted_networks (e.g. webmail), skip any authentication penalties
 * If the username+password combination is the same as one of the last 10 login attempts, skip increasing authentication penalty.
  * {{{CHECKSUM_VALUE_PTR_COUNT}}} in {{{src/anvil/penalty.c}}}
  * The idea is that if a user has simply configured the password wrong, it shouldn't keep increasing the delay.
  * The username+password is tracked as the CRC32 of them, so there is a small possibility of hash collisions


 * It is still possible to do multiple auth lookups from the same IP in parallel.
 * For IPv6 it currently blocks the entire /48 block, which may or may not be what is wanted.
  * PENALTY_IPV6_MASK_BITS in auth-penalty.c

Authentication penalty tracking can be disabled completely with:

service anvil {
  unix_listener anvil-auth-penalty {
    mode = 0

Also you can have similar functionality with [[|fail2ban]].
Moved to

None: Authentication/Penalty (last edited 2022-02-04 23:22:19 by TimoSirainen)