<div dir="ltr"><div>OOPS! I incorrectly copied and pasted the iptables command in my previous message. Here is the correct iptables command:<br><br>iptables -I INPUT -p tcp -m multiport --destination-port 143,993 -d aaa.bbb.ccc.ddd -j DROP</div><div><br></div><div>This command successfully blocks *future* connections to ports 143 and 993 from that IP address, but as I mentioned, it doesn't kill the currently open connection.<br></div><div dir="ltr"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><br></div><div>-- <br> <a href="mailto:hippoman@gmail.com" target="_blank">hippoman@gmail.com</a><br> Take a hippopotamus to lunch today.<br></div></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, May 23, 2022 at 4:54 PM Hippo Man <<a href="mailto:hippoman@gmail.com">hippoman@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Thank you, but fail2ban doesn't do what I need. Here is why ...</div><div><br></div><div>I have used fail2ban and also my own homegrown log monitor program for this purpose. In both cases, I can detect the failed imap logins and then cause the following command to be run ...</div><div><br></div><div>iptables -I INPUT -p tcp --destination-port aaa.bbb.ccc.ddd -j DROP</div><div><br></div><div>However, this does not drop connections that are existing and already open. It will only drop *future* connections from that IP address to port 143.<br></div><div><br></div><div>This is why I want to kill the existing connection. Even after that "iptables" command is issued, the entity which is connected to the imap port can continue to send more and more imap commands.</div><div><br></div><div>If I can drop the TCP connection as soon as an imap login fails and also issue that kind of "iptables" command, then the client would have to reconnect in order to retry other login attempts. Those future connections would then be successfully blocked by that iptables rule.</div><div><br></div><div>And even if I issue a "tcpdrop" command instead of just the "iptables" command, it doesn't kill the already-open connection. It just force-blocks future connections.</div><div><br></div><div>I'm thinking of patching the dovecot source code to create a personal version which immediately disconnects from the socket after login failure. Of course, I would prefer not to do that, if there is another way to accomplish this.<br></div><div><div><div dir="ltr"><div dir="ltr"><div><br></div><div>-- <br> <a href="mailto:hippoman@gmail.com" target="_blank">hippoman@gmail.com</a><br> Take a hippopotamus to lunch today.<br></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, May 23, 2022 at 4:24 PM Jan Hugo Prins <<a href="mailto:jhp@jhprins.org" target="_blank">jhp@jhprins.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
Look at fail2ban.<br>
Should be able to do that for you.<br>
<br>
Jan Hugo<br>
<br>
<br>
<div>On 5/23/22 21:11, Lloyd Zusman wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>I'm running dovecot 2.2.13 under Debian 8.</div>
<div>
<p>I'd like to force an immediate TCP socket disconnect after
any imap login attempt that fails.</p>
<p>Right now, if invalid credentials are supplied during an
imap login, the client can keep retrying logins with
different credentials. However, I want to prevent that from
occurring by causing the socket connection to be closed as
soon as there is any failed login attempt.</p>
<p>I haven't been able to find any <code>dovecot</code>
configuration setting which could control this behavior, but
I'm hoping that I just missed something.</p>
<p>Thank you very much for any suggestions.</p>
</div>
<div>
<div>
<div dir="ltr">
<div dir="ltr">
<div>-- <br>
<a href="mailto:hippoman@gmail.com" target="_blank">hippoman@gmail.com</a><br>
Take a hippopotamus to lunch today.<br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</blockquote></div>
</blockquote></div></div>