Amon Ott
2006-Aug-25 14:23 UTC
[Dovecot] Auto-blacklisting hosts after too many failed logins
Hi folks, first of all thanks for Dovecot, I appreciate it a lot. On one of our servers, we experience regular tries to brute force logins, probably based on harvested mail addresses. Now I wonder if dovecot has or could in future have some mechanism to blacklist remote IP addresses after a configurable number of failures to login to any account. Blacklisted IPs could simply be disconnected without giving them a chance to do anything. After e.g. one day or one hour of no further connection, the blacklist entry could be dropped. As a bonus, it would be great to have a way to close the POP3/IMAP firewall ports to these IPs to avoid dovecot seeing the connection at all. A kind of blacklist status file on disk would be enough, from which some cron job could fill a firewall chain. If necessary, I would try to add this functionality myself. Amon. -- http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
Ken A
2006-Aug-28 16:03 UTC
[Dovecot] Auto-blacklisting hosts after too many failed logins
This really shouldn't be a dovecot function, since this isn't an application level attack. Check out ossec-hids. I use it exactly for this purpose for blocking brute force attacks on others protocols as well - ftp, ssh, smtp, etc... Ken A. Pacific.Net Amon Ott wrote:> Hi folks, > > first of all thanks for Dovecot, I appreciate it a lot. > > On one of our servers, we experience regular tries to brute force > logins, probably based on harvested mail addresses. Now I wonder if > dovecot has or could in future have some mechanism to blacklist > remote IP addresses after a configurable number of failures to login > to any account. > > Blacklisted IPs could simply be disconnected without giving them a > chance to do anything. After e.g. one day or one hour of no further > connection, the blacklist entry could be dropped. > > As a bonus, it would be great to have a way to close the POP3/IMAP > firewall ports to these IPs to avoid dovecot seeing the connection at > all. A kind of blacklist status file on disk would be enough, from > which some cron job could fill a firewall chain. > > If necessary, I would try to add this functionality myself. > > Amon.
Geert Hendrickx
2006-Aug-29 07:23 UTC
[Dovecot] Auto-blacklisting hosts after too many failed logins
On Fri, Aug 25, 2006 at 04:23:32PM +0200, Amon Ott wrote:> On one of our servers, we experience regular tries to brute force logins, > probably based on harvested mail addresses. Now I wonder if dovecot has > or could in future have some mechanism to blacklist remote IP addresses > after a configurable number of failures to login to any account.Countless perl scripts exist which parse sshd login logs for login attacks and insert dynamic firewall rules to temporarily blacklist them. Those could easily be adapted to pop3/imap login logs. Geert