On 14/Feb/11 20:27, Bowie Bailey wrote: > On 2/14/2011 2:21 PM, Carlos Lopez wrote: >>> I was wondering whether there is some way in Courier (using >>> authlib, using authmysql) to catch the event of a multiple >>> login failure, such as in the case of spambots trying to >>> bruteforce an account, to temporarily ban the IP? >> >> You can use either, Mysql or authlib logs and then do a grep or >> any similar tools that can filter any failure login. >> >> If you want to ban the IP that any anonymous user is using to >> login, in my case I've used Linux IPTABLES and dynamic rule >> changing thru a scrip. > > Check out fail2ban. You can use it to watch the log files and ban any > IP with more than a certain number of failures. It can be used for any > service that logs failures.
Ipqbdb has similar functionality --Linux only. Neither of them would resist against distributed attacks, though. Built-in tarpit works well against timid attackers. Determined crackers quickly reach the maximum connection limit and may hold it indefinitely. I hope we'll have refined better countermeasures by the time well crafted attacks will come. For example, we could block logins, from any IP address, for users affected by more than N failed logins since the last password change. jm2c -- ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
