[Dovecot] limiting number of login attempts from same ip

[Ed W]

On 14/06/2011 08:25, Nikolaos Milas wrote:
> I would like to add that, although fail2ban is great and we are using it
> for a long time, it doesn't support IPv6; now that our servers (we are
> using CentOS 5.6 x86_64) and networks are IPv6 enabled, this is a
> problem (but hopefully IPv6-based attacks should not be very common
> yet). We have not implemented a solution for protecting pop3/imap over
> IPv6 yet, but I have recently found this article:
> http://www.roedie.nl/tag/fail2ban/ which suggests autofwd:
> http://freshmeat.net/projects/autofwd which might provide a good
> solution. It seems versatile and supports IPv6.
> 
> If anybody has done or can do an implementation on Linux (using iptables
> AND ip6tables) for pop3/imap, pop3s/imaps and share it, it will be most
> welcome and very useful.

I don't see why fail2ban would have anything to do with ipv6 since it
simply runs a script when something needs doing? Just adapt your script?
Not having tried it, but possibly the regexps need tweaking also?

On a related note, recent kernels (and old kernels can build a module)
implement "ipset".  This is a way to implement a named hash of
IPs/Ports/MACs, etc.  The point is to use a single iptables rule to do
something with your ipset, then you have the ability to dynamically
alter the ipset as you will without needing to reload iptables rules

(I believe that iptables is still unable to be altered dynamically? Each
time you *think* you are inserting a rule, actually you are dropping the
entire ruleset, then reinserting the entire new ruleset with one extra
rule. This creates a window of opportunity each time you innocently
insert a new rule. Further it explains the O(n^2) speed of running
"iptables -A" or similar)

For these reasons ipset seems like a great addition!

Ed W