<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    Just a few comments.<br>
    <br>
    - The below commands drops ALL future connections to the IMAP ports
    and not just the one from that specific IP address. <br>
    - It all depends on the ordering of the rest of your iptables rules.
    A lot of iptables setups have an accept related / established in the
    top of the INPUT chain and then indeed the traffic will continue as
    long as the connection is established. If you put a correct drop
    rule in the top of your iptables INPUT chain it will block all
    traffic including any related/established.<br>
    <br>
    Fail2Ban is able to insert such a drop rule in the top of the INPUT
    chain and thereby block all further tries.<br>
    This is exactly how I have setup my fail2ban and it works.<br>
    <br>
    The first few lines of my iptables input chain look like this:<br>
    <br>
      29M 2249M f2b-dovecot  tcp  --  *      *      
    0.0.0.0/0            0.0.0.0/0            multiport dports
    110,143,993,995<br>
    9969K 2545M f2b-sasl   tcp  --  *      *       0.0.0.0/0           
    0.0.0.0/0            multiport dports 25,465<br>
    9691K 2788M ACCEPT     all  --  lo     *       0.0.0.0/0           
    0.0.0.0/0           <br>
     134M  257G ACCEPT     all  --  *      *       0.0.0.0/0           
    0.0.0.0/0            state RELATED,ESTABLISHED<br>
    <br>
    Jan Hugo Prins<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 5/23/22 23:16, Hippo Man wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAK1LP6nqpGny6dAdZT54CBL=95XJ4c9yjZR7Uec_az1TP5BUdA@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">
        <div>OOPS! I incorrectly copied and pasted the iptables command
          in my previous message. Here is the correct iptables command:<br>
          <br>
          iptables -I INPUT -p tcp -m multiport --destination-port
          143,993 -d aaa.bbb.ccc.ddd -j DROP</div>
        <div><br>
        </div>
        <div>This command successfully blocks *future* connections to
          ports 143 and 993 from that IP address, but as I mentioned, it
          doesn't kill the currently open connection.<br>
        </div>
        <div dir="ltr">
          <div>
            <div dir="ltr" class="gmail_signature"
              data-smartmail="gmail_signature">
              <div dir="ltr">
                <div><br>
                </div>
                <div>-- <br>
                   <a href="mailto:hippoman@gmail.com" target="_blank"
                    moz-do-not-send="true" class="moz-txt-link-freetext">hippoman@gmail.com</a><br>
                   Take a hippopotamus to lunch today.<br>
                </div>
              </div>
            </div>
          </div>
          <br>
        </div>
        <br>
        <div class="gmail_quote">
          <div dir="ltr" class="gmail_attr">On Mon, May 23, 2022 at 4:54
            PM Hippo Man <<a href="mailto:hippoman@gmail.com"
              moz-do-not-send="true" class="moz-txt-link-freetext">hippoman@gmail.com</a>>
            wrote:<br>
          </div>
          <blockquote class="gmail_quote" style="margin:0px 0px 0px
            0.8ex;border-left:1px solid
            rgb(204,204,204);padding-left:1ex">
            <div dir="ltr">
              <div>Thank you, but fail2ban doesn't do what I need. Here
                is why ...</div>
              <div><br>
              </div>
              <div>I have used fail2ban and also my own homegrown log
                monitor program for this purpose. In both cases, I can
                detect the failed imap logins and then cause the
                following command to be run ...</div>
              <div><br>
              </div>
              <div>iptables -I INPUT -p tcp --destination-port
                aaa.bbb.ccc.ddd -j DROP</div>
              <div><br>
              </div>
              <div>However, this does not drop connections that are
                existing and already open. It will only drop *future*
                connections from that IP address to port 143.<br>
              </div>
              <div><br>
              </div>
              <div>This is why I want to kill the existing connection.
                Even after that "iptables" command is issued, the entity
                which is connected to the imap port can continue to send
                more and more imap commands.</div>
              <div><br>
              </div>
              <div>If I can drop the TCP connection as soon as an imap
                login fails and also issue that kind of "iptables"
                command, then the client would have to reconnect in
                order to retry other login attempts. Those future
                connections would then be successfully blocked by that
                iptables rule.</div>
              <div><br>
              </div>
              <div>And even if I issue a "tcpdrop" command instead of
                just the "iptables" command, it doesn't kill the
                already-open connection. It just force-blocks future
                connections.</div>
              <div><br>
              </div>
              <div>I'm thinking of patching the dovecot source code to
                create a personal version which immediately disconnects
                from the socket after login failure. Of course, I would
                prefer not to do that, if there is another way to
                accomplish this.<br>
              </div>
              <div>
                <div>
                  <div dir="ltr">
                    <div dir="ltr">
                      <div><br>
                      </div>
                      <div>-- <br>
                         <a href="mailto:hippoman@gmail.com"
                          target="_blank" moz-do-not-send="true"
                          class="moz-txt-link-freetext">hippoman@gmail.com</a><br>
                         Take a hippopotamus to lunch today.<br>
                      </div>
                    </div>
                  </div>
                </div>
                <br>
              </div>
            </div>
            <br>
            <div class="gmail_quote">
              <div dir="ltr" class="gmail_attr">On Mon, May 23, 2022 at
                4:24 PM Jan Hugo Prins <<a
                  href="mailto:jhp@jhprins.org" target="_blank"
                  moz-do-not-send="true" class="moz-txt-link-freetext">jhp@jhprins.org</a>>
                wrote:<br>
              </div>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                <div> Look at fail2ban.<br>
                  Should be able to do that for you.<br>
                  <br>
                  Jan Hugo<br>
                  <br>
                  <br>
                  <div>On 5/23/22 21:11, Lloyd Zusman wrote:<br>
                  </div>
                  <blockquote type="cite">
                    <div dir="ltr">
                      <div>I'm running dovecot 2.2.13 under Debian 8.</div>
                      <div>
                        <p>I'd like to force an immediate TCP socket
                          disconnect after any imap login attempt that
                          fails.</p>
                        <p>Right now, if invalid credentials are
                          supplied during an imap login, the client can
                          keep retrying logins with different
                          credentials. However, I want to prevent that
                          from occurring by causing the socket
                          connection to be closed as soon as there is
                          any failed login attempt.</p>
                        <p>I haven't been able to find any <code>dovecot</code>
                          configuration setting which could control this
                          behavior, but I'm hoping that I just missed
                          something.</p>
                        <p>Thank you very much for any suggestions.</p>
                      </div>
                      <div>
                        <div>
                          <div dir="ltr">
                            <div dir="ltr">
                              <div>-- <br>
                                 <a href="mailto:hippoman@gmail.com"
                                  target="_blank" moz-do-not-send="true"
                                  class="moz-txt-link-freetext">hippoman@gmail.com</a><br>
                                 Take a hippopotamus to lunch today.<br>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                    </div>
                  </blockquote>
                  <br>
                </div>
              </blockquote>
            </div>
          </blockquote>
        </div>
      </div>
    </blockquote>
    <br>
  </body>
</html>