"Voytek Eymont" <voytek@sbt.net.au>
I've installed fail2ban, it seems to be working as it identified my failed test logins, BUT, my question is:
what can I do when I see same invalid name trying to login to dovecot, different IP each time, how can I say block each IP as used by this name ?
If each IP is only used once in a long while, what would be the point?
In general, distributed attacks are very hard to stop if you have a default accept stance. I've observed that most of the attacks to my site are from the enormous Chinese stated owned public network superblocks. I finally got sick of them so I now spiral these IMAP/POP connections into the Scharwzschild radius of my firewall.
It's a prophylactic measure and not a reactive system like fail2ban, and may not work for you if you got road warriors that frequent that part of the world. However, it did get rid of a metric ton of BFD connections.
Joseph Tam <jtam.home@gmail.com>