[Dovecot] Auto-blacklisting hosts after too many failed logins
alex at erus.co.uk
Tue Aug 29 13:42:22 EEST 2006
Geert Hendrickx wrote:
> On Fri, Aug 25, 2006 at 04:23:32PM +0200, Amon Ott wrote:
>> On one of our servers, we experience regular tries to brute force logins,
>> probably based on harvested mail addresses. Now I wonder if dovecot has
>> or could in future have some mechanism to blacklist remote IP addresses
>> after a configurable number of failures to login to any account.
> Countless perl scripts exist which parse sshd login logs for login attacks
> and insert dynamic firewall rules to temporarily blacklist them. Those
> could easily be adapted to pop3/imap login logs.
I use fail2ban.
It has settings for SSH, apache and vsftpd in the default config file
but you can easily add your own [dovecot] section.
Enter the log to monitor, the failure regex to match on, and the action
to take after a specified number of failures (defaults to blocking IP
for 600 seconds) and you're away.
More information about the dovecot