[Dovecot] Logging passwords on auth failure/dealing with botnets

Noel noeldude at gmail.com
Tue Sep 3 17:23:48 EEST 2013


On 9/3/2013 5:12 AM, Charles Marcus wrote:
>
> Ummm... maybe you didn't read what I wrote? That is what I meant
> by 'whitelist' in item 1... ;)
>

Yes, I think we're on the same page.

>
> On 2013-09-02 9:59 PM, other at ahhyes.net <other at ahhyes.net> wrote:
>> Is there anyway to limit the number of auth attempts allowed in a
>> single session? The reason for this is because I have "fail2ban"
>> setup to firewall out any IP addresses that repeatedly auth fails.
>
> Is there a way to tell fail2ban to block connection attempts NOT
> based on IP, but based on other values or value combinations (like
> user+IP)?
>

I'm not sure if fail2ban can trigger on a value combination, but it
should be able to pull a username out of a log line and run some
command on the username.

Basically whatever you can do with a regexp and a single log line.
Pull any value out of the log line and run a command or script with
the value (usually an IP, but can be anything in that line).




More information about the dovecot mailing list