Geert Hendrickx wrote:
On Fri, Aug 25, 2006 at 04:23:32PM +0200, Amon Ott wrote:
On one of our servers, we experience regular tries to brute force logins, probably based on harvested mail addresses. Now I wonder if dovecot has or could in future have some mechanism to blacklist remote IP addresses after a configurable number of failures to login to any account.
Countless perl scripts exist which parse sshd login logs for login attacks and insert dynamic firewall rules to temporarily blacklist them. Those could easily be adapted to pop3/imap login logs.
Geert
I use fail2ban.
It has settings for SSH, apache and vsftpd in the default config file but you can easily add your own [dovecot] section.
Enter the log to monitor, the failure regex to match on, and the action to take after a specified number of failures (defaults to blocking IP for 600 seconds) and you're away.
Alex