dovecot - Jul 2017 - under some kind of attack

On Tue, 18 Jul 2017, dovecot-request at dovecot.org wrote:
> Thanks for the quick follow-ups! Much appreciated. After posting this, I
> immediately started working on fail2ban. And between my initial posting
> and now, fail2ban already blocked 114 IPs.
>
> I have fail2ban with maxretry=1 and bantime=1800
>
> However, it seems almost all IPs are different, and I don't think I can
> keep the above settings permanently.
Why not?  Limited by firewall rules overload?  You could probably use
a persistent DB, can't you?

You can also use a third party RBL that specialized in brute forcers like
blocklist.de.  You can also feed back fail2ban data and crowdsource BFD
data to them.

Joseph Tam <jtam.home at gmail.com>

Hi Joseph,

On 07/18/2017 11:10 PM, Joseph Tam wrote:
>> However, it seems almost all IPs are different, and I don't think I
can
>> keep the above settings permanently.
> 
> Why not?  Limited by firewall rules overload?  You could probably use
> a persistent DB, can't you?
I meant: keep the "block after the first failed attempt" setting.
People
need the chance to change their password, so I have increased it to two.
> You can also use a third party RBL that specialized in brute forcers like
> blocklist.de.  You can also feed back fail2ban data and crowdsource BFD
> data to them.
Yes, I will look into that now.

Thanks!