[Dovecot] script to detect dictionary attacks

Robert Schetterer rs at sys4.de
Sat Apr 6 15:15:51 EEST 2013


Am 06.04.2013 13:18, schrieb Reindl Harald:
> Hi
> 
> has someone a script which can filter out dictionary attacks
> from /var/log/maillog and notify about the source-IPs?
> 
> i know about fail2ban and so on, but i would like to have
> a mail with the IP address for two reasons and avoid fail2ban
> at all because it does not match in the way we maintain firewalls
> 
> * add the IP to a distributed "iptables-block.sh" and distribute
>   it to any server with a comment and timestamp
> * write a abuse-mail to the ISP
> 

Hi Harald, not exactly

but i have written some blog to detect and alarm via xymon by brute
force dovecot

http://sys4.de/de/blog/2013/01/29/howto-monitor-brute-force-attacks-on-dovecot/

as well i have some blog

about using iptables out of rsyslog pipe recent to drop ips

http://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/

mix it up somekind in scripts and produce some mail to abuse mail account
found by whois, to me alarming is enough, at my servers
it looks like most alarms are comming from users with wrong login data
etc , real brute force are rare

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich


More information about the dovecot mailing list