Jorge Bastos <mysql.jorge at decimal.pt> wrote:> What do you see in the logs? > My guess is that someone is trying a brute force auth against you,Thanks Jorge, I think this is the answer. I'm using dovecot for exim4 SMTP authentication. The exim4 logs show brute force attacks. -- Edward.
>>>>> Edward Betts <edward at 4angle.com>:> Jorge Bastos <mysql.jorge at decimal.pt> wrote: >> What do you see in the logs? >> My guess is that someone is trying a brute force auth against you,> Thanks Jorge, I think this is the answer. I'm using dovecot for exim4 SMTP > authentication. The exim4 logs show brute force attacks.A little late response, but since you're using debian you could try pulling in fail2ban: apt-get install fail2ban fail2ban scans the logs of various services for attacks and firewalls out the attacking IP addresses. There are no built-in rules for exim or dovecot in the debian fail2ban package, but there is something here that could possibly be adapted...? wiki2.dovecot.org/HowTo/Fail2Ban Here's a filter for exim: github.com/fail2ban/fail2ban/blob/master/config/filter.d/exim.conf
Am Freitag, den 03.07.2015, 14:28 +0200 schrieb Steinar Bang:> > > fail2ban scans the logs of various services for attacks and firewalls > out the attacking IP addresses. > > There are no built-in rules for exim or dovecot in the debian > fail2ban > package, but there is something here that could possibly be > adapted...?Are you talking about wheezy or jessie? jessie has rules. But they need to be enabled like this: # cat /etc/fail2ban/jail.d/local.conf [exim] enabled = true [exim-spam] enabled = true [dovecot] enabled = true