[Dovecot] Logging passwords on auth failure/dealing with botnets

Joseph Tam jtam.home at gmail.com
Sat Aug 31 02:55:00 EEST 2013


Michael Smith writes:

> We're already running fail2ban, but it doesn't seem that effective
> against botnets, when they only do one attempt per IP.

Yeah, distributed BFDs are tough to block unless you can characterize
the clients well.

> That leaves us back to getting dovecot to log the tried password for
> unknown users.

Another tactic might be to hook in a authentication script:

 	http://wiki2.dovecot.org/AuthDatabase/CheckPassword

You can run this as an external plugin and won't have to muck into the
dovecot innards.  From here, you can log attempts, keep track of  bad
IPs, or take action if you spot a username/password combination that
merits instant blacklisting.

Joseph Tam <jtam.home at gmail.com>


More information about the dovecot mailing list