31 Aug
2013
31 Aug
'13
2:55 a.m.
Michael Smith writes:
We're already running fail2ban, but it doesn't seem that effective against botnets, when they only do one attempt per IP.
Yeah, distributed BFDs are tough to block unless you can characterize the clients well.
That leaves us back to getting dovecot to log the tried password for unknown users.
Another tactic might be to hook in a authentication script:
http://wiki2.dovecot.org/AuthDatabase/CheckPasswordYou can run this as an external plugin and won't have to muck into the dovecot innards. From here, you can log attempts, keep track of bad IPs, or take action if you spot a username/password combination that merits instant blacklisting.
Joseph Tam jtam.home@gmail.com