"Voytek Eymont" <voytek@sbt.net.au>

I've installed fail2ban, it seems to be working as it identified my failed test logins, BUT, my question is:

what can I do when I see same invalid name trying to login to dovecot, different IP each time, how can I say block each IP as used by this name ?

If each IP is only used once in a long while, what would be the point?

In general, distributed attacks are very hard to stop if you have a default accept stance. I've observed that most of the attacks to my site are from the enormous Chinese stated owned public network superblocks. I finally got sick of them so I now spiral these IMAP/POP connections into the Scharwzschild radius of my firewall.

It's a prophylactic measure and not a reactive system like fail2ban, and may not work for you if you got road warriors that frequent that part of the world. However, it did get rid of a metric ton of BFD connections.

Joseph Tam <jtam.home@gmail.com>