[Dovecot] Auto-blacklisting hosts after too many failed logins
Ken A
ka at pacific.net
Mon Aug 28 19:03:42 EEST 2006
This really shouldn't be a dovecot function, since this isn't an
application level attack. Check out ossec-hids. I use it exactly for
this purpose for blocking brute force attacks on others protocols as
well - ftp, ssh, smtp, etc...
Ken A.
Pacific.Net
Amon Ott wrote:
> Hi folks,
>
> first of all thanks for Dovecot, I appreciate it a lot.
>
> On one of our servers, we experience regular tries to brute force
> logins, probably based on harvested mail addresses. Now I wonder if
> dovecot has or could in future have some mechanism to blacklist
> remote IP addresses after a configurable number of failures to login
> to any account.
>
> Blacklisted IPs could simply be disconnected without giving them a
> chance to do anything. After e.g. one day or one hour of no further
> connection, the blacklist entry could be dropped.
>
> As a bonus, it would be great to have a way to close the POP3/IMAP
> firewall ports to these IPs to avoid dovecot seeing the connection at
> all. A kind of blacklist status file on disk would be enough, from
> which some cron job could fill a firewall chain.
>
> If necessary, I would try to add this functionality myself.
>
> Amon.
More information about the dovecot
mailing list