Michael Smith writes:
We're already running fail2ban, but it doesn't seem that effective
against botnets, when they only do one attempt per IP.
Yeah, distributed BFDs are tough to block unless you can characterize
the clients well.
That leaves us back to getting dovecot to log the tried password for
unknown users.
Another tactic might be to hook in a authentication script:
http://wiki2.dovecot.org/AuthDatabase/CheckPassword
You can run this as an external plugin and won't have to muck into the
dovecot innards. From here, you can log attempts, keep track of bad
IPs, or take action if you spot a username/password combination that
merits instant blacklisting.
Joseph Tam <jtam.h...@gmail.com>
