On Apr 8, 2007, at 9:20 AM, Pete Dubler wrote:
Has anyone implemented a script to block IPs which are attacking on
POP3 ports using dovecot logs to indicate repetitive failed login
attempts?sshblack does this nicely for ssh (port 22) attacks by monitoring
the /var/log/secure file. I am considering rewriting this to POP3
port (110), but if it has already been done, I sure don't need the
practice.
Gotta love PF on OpenBSD (and FreeBSD). It was a simple addition to
the pass rule:
pass in quick on $ext_if proto tcp from any to $imaphost port
$imap_tcp_bf_svcs flags S/SA keep state (max-src-conn 25,
max-src-conn-rate 10/1, overload <my-imap-bf> flush global)
label "$dstaddr:$dstport:$proto"
This limits a host to 25 connections, 10 per second. If they exceed
either, they're dumped into the my-imap-bf table, which is blocked
earlier in the file with a
block quick from <my-imap-bf>
:-)
I used the values I did because I had some 600 connection in 40 seconds.
Sean