[Dovecot] Auto-blacklisting hosts after too many failed logins
ao at rsbac.org
Fri Aug 25 17:23:32 EEST 2006
first of all thanks for Dovecot, I appreciate it a lot.
On one of our servers, we experience regular tries to brute force
logins, probably based on harvested mail addresses. Now I wonder if
dovecot has or could in future have some mechanism to blacklist
remote IP addresses after a configurable number of failures to login
to any account.
Blacklisted IPs could simply be disconnected without giving them a
chance to do anything. After e.g. one day or one hour of no further
connection, the blacklist entry could be dropped.
As a bonus, it would be great to have a way to close the POP3/IMAP
firewall ports to these IPs to avoid dovecot seeing the connection at
all. A kind of blacklist status file on disk would be enough, from
which some cron job could fill a firewall chain.
If necessary, I would try to add this functionality myself.
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the dovecot