[Dovecot] script to detect dictionary attacks

Julio Cesar Covolato julio at psi.com.br
Tue Apr 9 16:39:11 EEST 2013


Hi Reindl.

I have a similar script to detect brute force attacs to dovecot sasl 
auth sistem, it's very simple to adapt to pop/imap failures log:

http://psi.com.br/~julio/postfix/sasl-killer.sh

Regards,

-- 
-----------------------------
     _    Julio Cesar Covolato
    0v0   <julio at psi.com.br>
   /(_)\  F: 55-11-3129-3366
    ^ ^   PSI INTERNET
-----------------------------

Em 06-04-2013 08:18, Reindl Harald escreveu:
> Hi
>
> has someone a script which can filter out dictionary attacks
> from /var/log/maillog and notify about the source-IPs?
>
> i know about fail2ban and so on, but i would like to have
> a mail with the IP address for two reasons and avoid fail2ban
> at all because it does not match in the way we maintain firewalls
>
> * add the IP to a distributed "iptables-block.sh" and distribute
>    it to any server with a comment and timestamp
> * write a abuse-mail to the ISP
>



More information about the dovecot mailing list