On Jan 2, 2008 2:33 AM, Benjamin R. Haskell dovecot@benizi.com wrote:
I fell in the 'use another tool' (fail2ban or similar) camp the last time, but this thread made me wonder:
Does fail2ban allow you to tarpit, rather than outright-ban, IP's? I've always thought tarpitting the better option of the two. Seems sneakier (Fight back without the attacker necessarily knowing you're fighting).
fail2ban is just a log processor that is keyed to a netfilter-like method, but modifying it to
"touch /var/tmp/.dovecotFailedAuth/$REMOTE_IP"
and then wrap the pop3/imap login_executable process with a lookup to do this sort of tar pitting with
test -f /var/tmp/.dovecotFailedAuth/$REMOTE_IP && sleep 10
the variable names escape me and the wiki wasn't immediately helpful to my tired eyes, I just couldn't find the wrapper example. if the need is great i could write working perl script to do both ends and work with memcache or something if you have multiple servers.
-- Gabriel Millerd