[Dovecot] Auto-blacklisting hosts after too many failed logins

Amon Ott ao at rsbac.org
Fri Aug 25 17:23:32 EEST 2006


Hi folks,

first of all thanks for Dovecot, I appreciate it a lot.

On one of our servers, we experience regular tries to brute force 
logins, probably based on harvested mail addresses. Now I wonder if 
dovecot has or could in future have some mechanism to blacklist 
remote IP addresses after a configurable number of failures to login 
to any account.

Blacklisted IPs could simply be disconnected without giving them a 
chance to do anything. After e.g. one day or one hour of no further 
connection, the blacklist entry could be dropped.

As a bonus, it would be great to have a way to close the POP3/IMAP 
firewall ports to these IPs to avoid dovecot seeing the connection at 
all. A kind of blacklist status file on disk would be enough, from 
which some cron job could fill a firewall chain.

If necessary, I would try to add this functionality myself.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22


More information about the dovecot mailing list