[Dovecot] Auto-blacklisting hosts after too many failed logins

Ale Pimperton alex at erus.co.uk
Tue Aug 29 13:42:22 EEST 2006


Geert Hendrickx wrote:
> On Fri, Aug 25, 2006 at 04:23:32PM +0200, Amon Ott wrote:
>   
>> On one of our servers, we experience regular tries to brute force logins,
>> probably based on harvested mail addresses. Now I wonder if dovecot has
>> or could in future have some mechanism to blacklist remote IP addresses
>> after a configurable number of failures to login to any account.
>>     
>
> Countless perl scripts exist which parse sshd login logs for login attacks
> and insert dynamic firewall rules to temporarily blacklist them.  Those
> could easily be adapted to pop3/imap login logs.  
>
> 	Geert
>   
I use fail2ban.

It has settings for SSH, apache and vsftpd in the default config file 
but you can easily add your own [dovecot] section.

Enter the log to monitor, the failure regex to match on, and the action 
to take after a specified number of failures (defaults to blocking IP 
for 600 seconds) and you're away.

Alex


More information about the dovecot mailing list