There are a couple of jerks that are tying to dictionary attack my email server, and one of the vectors is pop3/imap logins. Something I would like to do in dovecot, but can't seem to find, is the ability to disconnect after a certain number of errors. The vast majority of my users (i.e. me) don't hand-type POP3 or IMAP transactions, but when we do, we know how to spell things properly. Does dovecot have this? A simiple look shows no. -- I wouldn't mind dying -- it's that business of having to stay dead that scares the shit out of me. -- R. Geis
On Sat, 8 Dec 2007, Peter Hessler wrote:> There are a couple of jerks that are tying to dictionary attack my > email server, and one of the vectors is pop3/imap logins. Something I > would like to do in dovecot, but can't seem to find, is the ability to > disconnect after a certain number of errors. The vast majority of my > users (i.e. me) don't hand-type POP3 or IMAP transactions, but when we > do, we know how to spell things properly.I would use fail2ban, which listens for log files and then adds firewall rules banning the idiots or alternately uses hosts.deny to ban the idiots. (I personally prefer the use of hosts.deny.) -- Asheesh. -- Do you know the difference between a yankee and a damyankee? A yankee comes south to *visit*.
On 9.12.2007, at 0.16, Peter Hessler wrote:> There are a couple of jerks that are tying to dictionary attack my > email server, and one of the vectors is pop3/imap logins. Something I > would like to do in dovecot, but can't seem to find, is the ability to > disconnect after a certain number of errors. The vast majority of my > users (i.e. me) don't hand-type POP3 or IMAP transactions, but when we > do, we know how to spell things properly. > > Does dovecot have this? A simiple look shows no.It's hardcoded to src/imap-login/client.c: #define CLIENT_MAX_BAD_COMMANDS 10 -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20071209/c82d1e9d/attachment-0002.bin>
On 2007 Dec 09 (Sun) at 00:20:11 +0200 (+0200), Timo Sirainen wrote:> On 9.12.2007, at 0.16, Peter Hessler wrote: > >> There are a couple of jerks that are tying to dictionary attack my >> email server, and one of the vectors is pop3/imap logins. Something I >> would like to do in dovecot, but can't seem to find, is the ability to >> disconnect after a certain number of errors. The vast majority of my >> users (i.e. me) don't hand-type POP3 or IMAP transactions, but when we >> do, we know how to spell things properly. >> >> Does dovecot have this? A simiple look shows no. > > It's hardcoded to src/imap-login/client.c: > > #define CLIENT_MAX_BAD_COMMANDS 10 >It looks like that doesn't apply to failed logins. -- A witty saying proves nothing, but saying something pointless gets people's attention.
On Sat, 8 Dec 2007, Peter Hessler wrote:> There are a couple of jerks that are tying to dictionary attack my > email server, and one of the vectors is pop3/imap logins. Something I > would like to do in dovecot, but can't seem to find, is the ability to > disconnect after a certain number of errors. The vast majority of my > users (i.e. me) don't hand-type POP3 or IMAP transactions, but when we > do, we know how to spell things properly.Another suggestion via PAM: "pam_shield blocks IPs" <http://www.ka.sara.nl/home/walter/pam%5Fshield/README.txt> describes http://www.ka.sara.nl/home/walter/pam%5Fshield/ . I still think that fail2ban is a better approach. -- Asheesh. -- Sendmail may be safely run set-user-id to root. -- Eric Allman, "Sendmail Installation Guide"