Hello,
I am using the parameter:
$config['login_rate_limit'] = 3;
to limit failed login attempts. This should allow up to 3 failed logins per minute (according to the documentation).
However, is there a way to ban a username for a configurable amount of time in case the above limit has been reached?
If not, could you please consider adding such a parameter? For example, it could be something like: login_rate_limit_ban, accepting values in seconds.
If someone has login_rate_limit failures, (s)he would automatically be banned for login_rate_limit_ban seconds.
Please advise.
Thanks,
Nick
Are you on a Unix/Linux server? You might look at installing fail2ban and configuring it for your IMAP server. Then it would cover any IMAP client not just attempts to login via RC.
fail2ban blocks are based on IP Addresses. This may cause problems in case of NAT'ed clients. Using fail2ban, if a number of clients are behind a NAT gateway, they will all be banned, despite that perhaps only one of them is guilty. Moreover, we need to block based on username(s), because the same user (esp. a malicious one) may try logging from different IP Addresses if one is banned.
Furthermore, I believe that we should treat differently the login to the webmail system than the login to the IMAP/SMTP services (receiving/sending mail). We can control the latter via a mail firewall like postfwd (when using postfix), but we would need to control the logins to the webmail system directly.
So, if this feature can be added, I believe it will provide real added value.
Cheers,
Nick