Ban user after failed logins

[appletech]

Hello,

I am using the parameter:

Code: [Select]

$config['login_rate_limit'] = 3;
to limit failed login attempts. This should allow up to 3 failed logins per minute (according to the documentation).

However, is there a way to ban a username for a configurable amount of time in case the above limit has been reached?

If not, could you please consider adding such a parameter? For example, it could be something like: login_rate_limit_ban, accepting values in seconds.

If someone has login_rate_limit failures, (s)he would automatically be banned for login_rate_limit_ban seconds.

Please advise.

Thanks,
Nick

[rm13]

Are you on a Unix/Linux server? You might look at installing fail2ban and configuring it for your IMAP server. Then it would cover any IMAP client not just attempts to login via RC.

[appletech]

fail2ban blocks are based on IP Addresses. This may cause problems in case of NAT'ed clients. Using fail2ban, if a number of clients are behind a NAT gateway, they will all be banned, despite that perhaps only one of them is guilty. Moreover, we need to block based on username(s), because the same user (esp. a malicious one) may try logging from different IP Addresses if one is banned.

Furthermore, I believe that we should treat differently the login to the webmail system than the login to the IMAP/SMTP services (receiving/sending mail). We can control the latter via a mail firewall like postfwd (when using postfix), but we would need to control the logins to the webmail system directly.

So, if this feature can be added, I believe it will provide real added value.

Cheers,
Nick