similar to: Mail account brute force / harassment

> Am 11.04.2019 um 12:43 schrieb Marc Roos via dovecot <dovecot at dovecot.org>: > > Please do not assume anything other than what is written, it is a > hypothetical situation > > > A. With the fail2ban solution > - you 'solve' that the current ip is not able to access you > - it will continue bothering other servers and admins > - you get the

Marc, There is a strategy loosely referred to as "choose your battles well" :-) Let the others bother with their own problems. If you can, hack the server and dump the 500GB - you'll be using resources transferring the 500GB as the other server receives it. Two servers wasting resources because you think you are punishing an offender! On Thu, 11 Apr 2019 at 13:43, Marc Roos

Say for instance you have some one trying to constantly access an account Has any of you made something creative like this: * configure that account to allow to login with any password * link that account to something like /dev/zero that generates infinite amount of messages (maybe send an archive of virusses?) * transferring TB's of data to this harassing client. I think it would be

On 11/04/2019 11:43, Marc Roos via dovecot wrote: > A. With the fail2ban solution > - you 'solve' that the current ip is not able to access you It is only a solution if there are subsequent attempts from the same address. I currently have several thousand addresses blocked due to dovecot login failures. My firewall is set to log these so I can see that few repeat, those

All your approaches are not well thought out. The best solutions are always the simplest ones. KISS principle dictates so. On Thu, 11 Apr 2019 at 15:01, Marc Roos <M.Roos at f1-outsourcing.eu> wrote: > > How long have we been using the current strategy? Do we have less or > more abuse clouds operating? > > "Let the others bother with their own problems." is a bit

Please do not assume anything other than what is written, it is a hypothetical situation A. With the fail2ban solution - you 'solve' that the current ip is not able to access you - it will continue bothering other servers and admins - you get the next abuse host to give a try. B. With 500GB dump - the owner of the attacking server (probably hacked) will notice it will be

On 11 Apr 2019, at 04:43, Marc Roos via dovecot <dovecot at dovecot.org> wrote: > B. With 500GB dump > - the owner of the attacking server (probably hacked) will notice it > will be forced to take action. Unlikely. What is very likely is that your ISP shuts you don for network abuse. > If abuse clouds are smart (most are) they would notice that attacking my > servers, will

On 11.04.2019 13:25, James via dovecot wrote: > On 11/04/2019 11:43, Marc Roos via dovecot wrote: > >> A. With the fail2ban solution >> ?? - you 'solve' that the current ip is not able to access you > > It is only a solution if there are subsequent attempts from the same > address.? I currently have several thousand addresses blocked due to > dovecot login

On 11/04/2019 14:33, Anton Dollmaier via dovecot wrote: >> Which is why a dnsbl for dovecot is a good idea. I do not believe the >> agents behind these login attempts are only targeting me, hence the >> addresses should be shared via a dnsbl. > > Probably there's an existing solution for both problems (subsequent > attempts and dnsbl): > >>

On 12/04/2019 08:24, Aki Tuomi via dovecot wrote: > Weakforced uses Lua so you can easily integrate DNSBL support into it. How does this help Dovecot block? A link to some documentation or example perhaps? > We will not add DNSBL support to dovecot at this time. Is there a reason why you will not support this RFE?

On 12/04/2019 08:42, Aki Tuomi via dovecot wrote: > On 12.4.2019 10.34, James via dovecot wrote: >> On 12/04/2019 08:24, Aki Tuomi via dovecot wrote: >> >>> Weakforced uses Lua so you can easily integrate DNSBL support into it. >> How does this help Dovecot block? >> A link to some documentation or example perhaps? >> >> >

Hi I'm aware that there are several good reasons not to do what I want, but in my use-case it would be an interesting feature. So please no discussions about the reasonableness I have some spamtrap SMTP servers (postfix). Currently SMTP AUTH is disabled. But as I daily have thousands of AUTH tries I thought it would be nice to be able to accept any AUTH request from postfix in dovecot. Is

Yes indeed, we have already own dnsbl's for smtp and ssh/ftp access. How do you have one setup for dovecot connections? -----Original Message----- From: James via dovecot [mailto:dovecot at dovecot.org] Sent: donderdag 11 april 2019 13:25 To: dovecot at dovecot.org Subject: Re: Mail account brute force / harassment On 11/04/2019 11:43, Marc Roos via dovecot wrote: > A. With the

On 12.4.2019 10.21, James via dovecot wrote: > On 11/04/2019 14:33, Anton Dollmaier via dovecot wrote: > >>> Which is why a dnsbl for dovecot is a good idea.? I do not believe the >>> agents behind these login attempts are only targeting me, hence the >>> addresses should be shared via a dnsbl. >> >> Probably there's an existing solution for both

On 12.4.2019 10.34, James via dovecot wrote: > On 12/04/2019 08:24, Aki Tuomi via dovecot wrote: > >> Weakforced uses Lua so you can easily integrate DNSBL support into it. > > How does this help Dovecot block? > A link to some documentation or example perhaps? > > https://wiki.dovecot.org/Authentication/Policy You can configure weakforced to return status -1 when DNSBL

Hi, What we do is: use https://github.com/trick77/ipset-blacklist to block IPs (from various existing blacklists) at the iptables level using an ipset. That way, the known bad IPs never even talk to dovecot, but are dropped immediately. We have the feeling it helps a lot. MJ On 4/12/19 10:27 AM, James via dovecot wrote: > On 12/04/2019 08:42, Aki Tuomi via dovecot wrote: >> On

I've been playing with weakforced, so it fills in the 'fail2ban across a cluster' niche (not to mention RBLs). It seems to work well, once you've actually read the docs :) I was curious if anyone had played with it and was *very* curious if anyone was using it in high traffic production. Getting things to 'work' versus getting them to work *and* handle a couple hundred

does anyone know of a linux module (maybe similar to fail2ban) that could be installed which would monitor email logs (sign ins) and alert the user to any suspicious activity on their account? i suspect it would need to log geo location, device type and ip address to a database. it seems like a module like this would be very useful and should exist already? thanks in advance

Hi all, If I may, one more question on this subject: I would like to create a fail2ban filer, that scans for these lines: > Jul 20 11:10:09 auth: Info: ldap(user1,60.166.35.162,<cDFXHbxUQgA8piOi>): invalid credentials (given password: password) > Jul 20 11:10:19 auth: Info: ldap(user2,61.53.66.4,<V+nyHbxU+wA9NUIE>): invalid credentials (given password: password) (as you can

> On 12 April 2019 18:11 Robert Kudyba via dovecot <dovecot at dovecot.org> wrote: > > > > Probably there's an existing solution for both problems (subsequent > > attempts and dnsbl): > > > > >