On Apr 8, 2007, at 9:20 AM, Pete Dubler wrote:

Has anyone implemented a script to block IPs which are attacking on
POP3 ports using dovecot logs to indicate repetitive failed login
attempts?

sshblack does this nicely for ssh (port 22) attacks by monitoring
the /var/log/secure file. I am considering rewriting this to POP3
port (110), but if it has already been done, I sure don't need the
practice.

Gotta love PF on OpenBSD (and FreeBSD). It was a simple addition to
the pass rule:

pass in quick on $ext_if proto tcp from any to $imaphost port
$imap_tcp_bf_svcs flags S/SA keep state (max-src-conn 25,
max-src-conn-rate 10/1, overload <my-imap-bf> flush global)
label "$dstaddr:$dstport:$proto"

This limits a host to 25 connections, 10 per second. If they exceed
either, they're dumped into the my-imap-bf table, which is blocked
earlier in the file with a

block quick from <my-imap-bf>

:-)

I used the values I did because I had some 600 connection in 40 seconds.

Sean