Page 1 of 1

IP's getting banned for aborted logins

Posted: 21 May 2016, 16:09
by ffeingol
Hello Guys,

We're seeing an increasing number of IP's getting blocked for 'aborted' logins. The messages look like:

Code: Select all

May 17 12:52:25 ### dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<###>, method=PLAIN, rip=###, lip=###, TLS, session=<###>
May 17 12:52:31 ### dovecot: imap-login: Aborted login (auth failed, 1 attempts in 6 secs): user=<###>, method=PLAIN, rip=###, lip=###, TLS: Disconnected, session=<###>
Is there any way to not block these aborted logins?

Re: IP's getting banned for aborted logins

Posted: 24 May 2016, 06:25
by Elizine
From the template /etc/dovecot/conf.d/10-auth.conf

# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
#disable_plaintext_auth = yes

Re: IP's getting banned for aborted logins

Posted: 24 May 2016, 13:16
by ffeingol
Hello,

Thanks. We're not really looking to disable the login method, just not block the users. We found that there is a specific regex for these failed logins in lfd, so it does not look like there is any way to bypass this 'error'. It's a tad frustrating as we get a lot of tickets for people blocked by aborted logins.

Re: IP's getting banned for aborted logins

Posted: 28 May 2016, 06:38
by dvk01
increase the Enable login failure detection of SMTP AUTH connections ( and POP3 & IMAP ) to at least 5 it looks like you are set as 1, so it blocks after a single failure, which will include an aborted log in by a user and can also happen with internet issues
If you don't want lots of help tickets also set those to be temp blocks for 30 minutes or 1 hour and set the temp to perm block to something like 3 or 4 to permanently block genuine attacks, but automatically unblock user errors. Then inform all your users that if they get blocked to wait 30 mins /1 hour before sending a ticket to help desk.