[Dovecot] IP Tables block for POP3 attacks with Dovecot
Sean Kamath
kamath at geekoids.com
Sun Apr 8 22:08:51 EEST 2007
On Apr 8, 2007, at 9:20 AM, Pete Dubler wrote:
> Has anyone implemented a script to block IPs which are attacking on
> POP3 ports using dovecot logs to indicate repetitive failed login
> attempts?
>
> sshblack does this nicely for ssh (port 22) attacks by monitoring
> the /var/log/secure file. I am considering rewriting this to POP3
> port (110), but if it has already been done, I sure don't need the
> practice.
Gotta love PF on OpenBSD (and FreeBSD). It was a simple addition to
the pass rule:
pass in quick on $ext_if proto tcp from any to $imaphost port \
$imap_tcp_bf_svcs flags S/SA keep state (max-src-conn 25, \
max-src-conn-rate 10/1, overload <my-imap-bf> flush global) \
label "$dstaddr:$dstport:$proto"
This limits a host to 25 connections, 10 per second. If they exceed
either, they're dumped into the my-imap-bf table, which is blocked
earlier in the file with a
block quick from <my-imap-bf>
:-)
I used the values I did because I had some 600 connection in 40 seconds.
Sean
More information about the dovecot
mailing list