[Dovecot] Auto-blacklisting hosts after too many failed logins

Ken A ka at pacific.net
Mon Aug 28 19:03:42 EEST 2006

This really shouldn't be a dovecot function, since this isn't an 
application level attack. Check out ossec-hids. I use it exactly for 
this purpose for blocking brute force attacks on others protocols as 
well - ftp, ssh, smtp, etc...

Ken A.

Amon Ott wrote:
> Hi folks,
> first of all thanks for Dovecot, I appreciate it a lot.
> On one of our servers, we experience regular tries to brute force 
> logins, probably based on harvested mail addresses. Now I wonder if 
> dovecot has or could in future have some mechanism to blacklist 
> remote IP addresses after a configurable number of failures to login 
> to any account.
> Blacklisted IPs could simply be disconnected without giving them a 
> chance to do anything. After e.g. one day or one hour of no further 
> connection, the blacklist entry could be dropped.
> As a bonus, it would be great to have a way to close the POP3/IMAP 
> firewall ports to these IPs to avoid dovecot seeing the connection at 
> all. A kind of blacklist status file on disk would be enough, from 
> which some cron job could fill a firewall chain.
> If necessary, I would try to add this functionality myself.
> Amon.

More information about the dovecot mailing list