search for: abwehren

Dave McGuire writes: >> http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets >> >> then setup fail2ban to manage extrafields > > Now that's a very interesting idea, thank you! I will investigate this. If you don't expect yor firewall to handle 45K+ IPs, I'm not how you expect dovecot will handle a comma separated string with 45K+ entries any

...d be perfectly doable though. > > Joseph Tam <jtam.home at gmail.com> perhaps and i mean really "perhaps" go this way https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/ https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/ 45K+ IPs will work in a recent table i have them too but for smtp only like echo 10000000 > /sys/module/xt_recent/parameters/ip_list_tot combine with geoip might be a good idea too is ultra faster then fail2ban cause no log file parsing is needed or an other idea you might test, configure...

Dear group, How can I block login attempts to dovecot after trying 5 times in error? -- Best regards, Jos Chrispijn --- Artificial intelligence is no match for natural stupidity

...uess not, but typical bots arent using ssl, check it however fail2ban sometimes is to slow but as an alternative you may create a filter out of syslog to directly feed in iptables recent, here is an example with smtp https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/ > > Thanks for the quick replies! > > MJ > > On 07/18/2017 09:52 PM, Robert Schetterer wrote: >> Am 18.07.2017 um 21:44 schrieb mj: >>> Hi all, >>> >>> It seems we are under some kind of password guessing attack: >>> >>>&gt...

Am 02.03.2015 um 18:56 schrieb Robert Schetterer: > perhaps and i mean really "perhaps" go this way > > https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/ > > https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/ > > 45K+ IPs will work in a recent table > i have them too but for smtp only like > > echo 10000000 > /sys/module/xt_recent/parameters/ip_list_tot > > combine with geoip might be a good idea too > > is ultra faster then fail2ban cause no log file parsing is needed &gt...

Hi, Thanks for the quick follow-ups! Much appreciated. After posting this, I immediately started working on fail2ban. And between my initial posting and now, fail2ban already blocked 114 IPs. I have fail2ban with maxretry=1 and bantime=1800 However, it seems almost all IPs are different, and I don't think I can keep the above settings permanently. Robert, your iptables suggestions are

Hi has someone a script which can filter out dictionary attacks from /var/log/maillog and notify about the source-IPs? i know about fail2ban and so on, but i would like to have a mail with the IP address for two reasons and avoid fail2ban at all because it does not match in the way we maintain firewalls * add the IP to a distributed "iptables-block.sh" and distribute it to any