[Dovecot] Limit login attempts per connection?

Stan Hoeppner stan at hardwarefreak.com
Fri Mar 5 14:41:26 EET 2010

Ed W put forth on 3/5/2010 3:44 AM:

> ...but ...  At least my public facing servers seem to be receiving
> trickle scans where there is definite evidence of a slow distributed
> bruteforcer which uses multiple IPs to try multiple usernames and I
> probably only see each IP a few times a day...  This is quite hard to
> defend against without some kind of distributed system (and I believe
> there are such things?)

It's good policy these days to use ipdeny.com cidr tables and ban all
countries from your servers that will never need legitimate access to them.
 If you're in the US, do you need to allow Chinese or Russian IP space to
connect to your IMAP ports?  If not, it's pretty simple to add iptables
rules on all your servers to ban all the countries where a large amount of
unauthorized connection attempts originate.

This usually can't be done with off the shelf firewalls from the likes of
Cisco et al as they don't have enough memory.  For a large server farm, it
would be better to have a Linux or NetBSD box running firewall duty for the
farm so you only have to load these rules once and eat cycles on only one

Also keep in mind that iptables load time for huge country files can be
pretty substantial.  I experimented with this on an old dual 550 MHz machine
and it took something like 30 seconds to load just the China cidrs into
iptables.  If you plan to load up multiple countries, initial iptables
loading might take a while.

Once you've got it set up and tuned it can work very well.


More information about the dovecot mailing list