[Dovecot] script to detect dictionary attacks

Reindl Harald h.reindl at thelounge.net
Sat Apr 6 15:43:42 EEST 2013



Am 06.04.2013 14:24, schrieb Benny Pedersen:
> Reindl Harald skrev den 2013-04-06 13:18:
> 
>> has someone a script which can filter out dictionary attacks
>> from /var/log/maillog and notify about the source-IPs?
> 
> yes i have :)
> 
> pflogsumm

has to do what with IMAP/POP3 Logins?

>> i know about fail2ban and so on, but i would like to have
>> a mail with the IP address for two reasons and avoid fail2ban
>> at all because it does not match in the way we maintain firewalls
> 
> its simple to make a filter that checks unknown user in postfix logs, its even more simple if one make syslog to
> sql, then postfix can live block that ip that sends to unknown users

but nobody speaks about postfix

>> * add the IP to a distributed "iptables-block.sh" and distribute
>>   it to any server with a comment and timestamp
>> * write a abuse-mail to the ISP
> 
> that would be cool, lol :)

what would be cool?
what *lol*?

i speak about a simple way to get a notify of the brute-forcing IP
and the both are MANUAL tasks i do since virtually forever

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130406/830e9844/attachment.bin>


More information about the dovecot mailing list