[Dovecot] script to detect dictionary attacks

Max Pyziur pyz at brama.com
Sat Apr 6 23:55:11 EEST 2013


On Sat, 6 Apr 2013, Reindl Harald wrote:

> Hi
>
> has someone a script which can filter out dictionary attacks
> from /var/log/maillog and notify about the source-IPs?
>
> i know about fail2ban and so on, but i would like to have
> a mail with the IP address for two reasons and avoid fail2ban
> at all because it does not match in the way we maintain firewalls
>
> * add the IP to a distributed "iptables-block.sh" and distribute
>  it to any server with a comment and timestamp
> * write a abuse-mail to the ISP

Thinking tangentially to this proposal, are there blacklists (BLs) 
maintained regarding known IPs perpetrating attempts at pop/imap 
intrusions, much in the same way CBL does for spam, and OpenBL 
(http://www.openbl.org/lists.html) does for ssh (primarily)?

That way, you leave your iptables configuration status quo, and create a 
mechanism to use the resource (the BLs) to populate your /etc/hosts.deny 
file, using tcp_wrappers to prevent intrusion/brute force attacks on 
service that have open ports in the firewall.

Thanks,

Max Pyziur
pyz at brama.com


More information about the dovecot mailing list