You might be able to use an ipset with your firewall ... for example ipset create blacklist4hr hash:ip hashsize 4096 timeout 14400
then add something like this into your firewall rules -A INPUT -m set --match-set blacklist4hr src -j DROP then have a program watching the logs based on some threshold and place the ip in the above ipset should they match your filter rules. If you use DROP vs RESET on your rule, it might nudge the user to fix their MUA. ;-) Adding ip's to your ipset is done like this via any program watching the logs. ipset add blacklist4hr X.X.X.X PS...if you kept count by the number of bad login attempts per ip address before you placed the ip address into your dynamic blacklist, you could also slow down dictionary attacks. Jim On Mon, Feb 15, 2016 at 7:12 AM, Andreas Schamanek < [email protected]> wrote: > > Hi fellow mailops, > > Often when user's mail accounts get canceled they do not remove or > update their MUAs' configuration. Hence, I see a lot of repeated login > attempts. > > Apart from the fact that this is a waste of a number of resources, > these attempts also trigger my intrusion detection system (which for > now does not check whether the username is one of an old account or > not). > > I was wondering how others deal with failing login attempts related to > deleted accounts. Is there a particularly good way to convince old > users to update their configurations? > > -- > -- Andreas > > :-) > > > _______________________________________________ > mailop mailing list > [email protected] > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >
_______________________________________________ mailop mailing list [email protected] https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
