[Dovecot] disconnect after too many errors?

Marcus Rueckert darix at opensu.se
Sun Dec 9 21:39:57 EET 2007


On 2007-12-09 11:13:09 -0800, Asheesh Laroia wrote:
> On Sat, 8 Dec 2007, Peter Hessler wrote:
> 
> >There are a couple of jerks that are tying to dictionary attack my
> >email server, and one of the vectors is pop3/imap logins.  Something I
> >would like to do in dovecot, but can't seem to find, is the ability to
> >disconnect after a certain number of errors.  The vast majority of my
> >users (i.e. me) don't hand-type POP3 or IMAP transactions, but when we
> >do, we know how to spell things properly.
> 
> Another suggestion via PAM:
> 
> "pam_shield blocks IPs" 
> <http://www.ka.sara.nl/home/walter/pam%5Fshield/README.txt> describes 
> http://www.ka.sara.nl/home/walter/pam%5Fshield/ .
> 
> I still think that fail2ban is a better approach.

or just iptables:
iptables -A input_ext -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force attack "
iptables -A input_ext -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
iptables -A input_ext -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT

    darix

-- 
           openSUSE - SUSE Linux is my linux
               openSUSE is good for you
                   www.opensuse.org


More information about the dovecot mailing list