Authentication Penalty

Dovecot anvil process tracks authentication penalties for different IPs to slow down brute force login attempts. The penalty is increased after failed logins until a maximum value, unless passdb nodelay extra field is used. The penalty is applied for the IP before passdb lookups are done, so the delay might exist even with nodelay if it is not used for all authentication attempts for the IP.

Algorithm

• First auth failure reply will be delayed for 2 seconds (this happens even without auth penalty)

  • AUTH_PENALTY_INIT_SECS in src/auth/auth-penalty.h

• The delay will be doubled for 4 -> 8 seconds, and then the upper limit of 15 seconds is reached.

  • AUTH_PENALTY_MAX_SECS and AUTH_PENALTY_MAX_PENALTY in src/auth/auth-penalty.h

• If the IP is in login_trusted_networks (e.g. webmail), skip any authentication penalties

• If the username+password combination is the same as one of the last 10 login attempts, skip increasing authentication penalty.

  • CHECKSUM_VALUE_PTR_COUNT in src/anvil/penalty.c

  • The idea is that if a user has simply configured the password wrong, it shouldn't keep increasing the delay.

  • The username+password is tracked as the CRC32 of them, so there is a small possibility of hash collisions

Problems

• It is still possible to do multiple auth lookups from the same IP in parallel.

• For IPv6 it currently blocks the entire /48 block, which may or may not be what is wanted.

  • PENALTY_IPV6_MASK_BITS in auth-penalty.c

Disabling

Authentication penalty tracking can be disabled completely with:

service anvil {
  unix_listener anvil-auth-penalty {
    mode = 0
  }
}