[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Dovecot configuration issues for IMAP/POP3 (squeeze)

On Nov 18, 2012, at 2:00 PM, David Guntner wrote:

> That's not what I want - I need a way to have it CLOSE the connection
> after {x} number of bad attempts (three is usually a good number).  In
> other words (for example), you put in a bad username/password three
> times, and it closes the connection and logs it.
> 
> Assuming I could get a meaningful log entry with each bad attempt, I
> could have fail2ban act - but that's still pretty useless since as far
> as I understand it; telling iptables to DROP a given IP address doesn't
> do anything to a connection that's already open.  Someone please feel
> free to correct me if my understanding on that is not correct. :-)

I use Linux and IPtables and fail2ban, and the way it seems to work here is: There's an IPtables rule that checks for and accepts established connection packets, but fail2ban inserts its block chain in front of that, at the very top of the Input chain. So a packet from a wayward IP is blocked/dropped if fail2ban doesn't like it, before the fact that this is an established connection is discovered. So if you had f2b watching for bad logins, I think you'd get exactly what you want, assuming you could get meaningful log entries. (I wrote my IPtables packet filter, though, so others are almost certainly different.)

OTOH, some of the bad attempts I get don't log the remote IP, so they aren't meaningful to f2b and don't get blocked...

-- 
Glenn English
Reply to: