On 9/2/2013 8:35 AM, Charles Marcus wrote: > 2. A blacklist that when triggered (x failed login attempts in x > seconds), doesn't try to block the IP, but rather prevents login > attempts for that user account from even reaching the AUTH stage - > *unless* the IP in question is in the whitelist. > > The question is, where is this best dealt with - firewall (can > fail2ban do anything like this?), or would it have to be done in > dovecot? >
I'm already using fail2ban to block IPs that have too many AUTH failures. Fail2ban is pretty flexible -- it watches the log and counts strings you specify, then runs a command or script you specify. If the username is logged, I suppose it's possible to run something to temporarily disable that user. It would be a lot easier to deploy if some sort of blocker were built into dovecot -- after X number of failures during Y seconds, fail all future attempts for the account for T seconds. Maybe reset the timer on each attempt during the blackout period so the timer never expires on the persistent distributed brute force attacks. I suppose there would also need to be a way to whitelist IPs so the account owner can get in. -- Noel Jones