On 2007-12-09 11:13:09 -0800, Asheesh Laroia wrote:
> On Sat, 8 Dec 2007, Peter Hessler wrote:
>
> >There are a couple of jerks that are tying to dictionary attack my
> >email server, and one of the vectors is pop3/imap logins. Something I
> >would like to do in dovecot, but can't seem to find, is the ability to
> >disconnect after a certain number of errors. The vast majority of my
> >users (i.e. me) don't hand-type POP3 or IMAP transactions, but when we
> >do, we know how to spell things properly.
>
> Another suggestion via PAM:
>
> "pam_shield blocks IPs"
> <http://www.ka.sara.nl/home/walter/pam%5Fshield/README.txt> describes
> http://www.ka.sara.nl/home/walter/pam%5Fshield/ .
>
> I still think that fail2ban is a better approach.
or just iptables:
iptables -A input_ext -p tcp --dport 22 -m recent --update --seconds 60
--hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force attack "
iptables -A input_ext -p tcp --dport 22 -m recent --update --seconds 60
--hitcount 4 --rttl --name SSH -j DROP
iptables -A input_ext -p tcp --dport 22 -m state --state NEW -m recent --set
--name SSH -j ACCEPT
darix
--
openSUSE - SUSE Linux is my linux
openSUSE is good for you
www.opensuse.org
