On 2007-12-09 11:13:09 -0800, Asheesh Laroia wrote:
On Sat, 8 Dec 2007, Peter Hessler wrote:
There are a couple of jerks that are tying to dictionary attack my email server, and one of the vectors is pop3/imap logins. Something I would like to do in dovecot, but can't seem to find, is the ability to disconnect after a certain number of errors. The vast majority of my users (i.e. me) don't hand-type POP3 or IMAP transactions, but when we do, we know how to spell things properly.
Another suggestion via PAM:
"pam_shield blocks IPs" http://www.ka.sara.nl/home/walter/pam%5Fshield/README.txt describes http://www.ka.sara.nl/home/walter/pam%5Fshield/ .
I still think that fail2ban is a better approach.
or just iptables: iptables -A input_ext -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force attack " iptables -A input_ext -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP iptables -A input_ext -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
darix-- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org