[Dovecot] need to block user by IP address (tried denyhosts, xinetd, iptables etc)

Noel J noeldude at gmail.com
Wed Nov 10 05:30:37 EET 2010


On Tue, Nov 9, 2010 at 9:21 PM, Stan Hoeppner <stan at hardwarefreak.com> wrote:
> Tom put forth on 11/9/2010 8:53 PM:
>
>> we have recently had some brute force attacks on the pop3 and imapd and
>> this results in many processes being used for login attempts.
>>
>> Our dovecot is hosted on a Virtual Private Server which restricts access
>> to IPTABLEs and also make a limit on the number of processes that can be
>> running
>>
>> So I can't restrict the attackers IP addresses via IPTABLES, as we don't
>> have access to that. I can't really patch dovecot as we are reliant on
>> the distro packages.
>
> Dovecot isn't iptables.  It is an IMAP/POP3 server.  It implements basic
> user account security.  Preventing DOS or other attacks is not its job.
>  That is the job of the kernel.  There are many reasons why applications
> don't duplicate kernel functionality, and most should be obvious to
> anyone who thinks on the matter for a few moments.  I'm not going to
> bother listing them here.
>
> You went cheap and/or didn't research the provider/features, and now are
> feeling the sting.  Find a new VPS provider, or upgrade to one of their
> packages that allows access to iptables so you can run fail2ban.  I
> don't think you're going to be able to make headway here with Dovecot.
>
> Some lessons are, unfortunately, learned best the hard way. :(
>
> --
> Stan
>


Stan's right, dovecot can't do much about the attack.  But it's not
time to surrender just yet.

Do you have access to the routing table?  If you can run a "route add
..." command, you can null-route the attacker (either route them to
localhost or "blackhole" if your OS supports that).

If you can install fail2ban, you can fairly easily change its action
to something other than iptables.

Maybe someone else has other suggestions...


  -- Noel Jones


More information about the dovecot mailing list