On 2/21/2016 8:19 PM, Petri Riihikallio wrote: >> Essence of my question was not "how to block manually an already >> known >> malicious client?" but "how to apply some restrictions >> automatically on any suspicious clients?” > Take a look at Fail2Ban or SSHGuard. They keep an eye on your logs and add firewall rules dynamically. They also expire the rules eventually. > > There is one more thing to consider: If your users mistype their username or password when setting up their mail application, they’ll end up on the blacklist, because mail clients usually try multiple times. When they can’t make the connection, they’ll check their config, notice the error and correct it. When they still can’t connect - because they are now blacklisted, they’ll want support. (Executive summary: Expect more support calls if you set this up.) >
+ 1 for Fail2ban. You can set it up to exactly how you want. After 3 attempts on the SASL connection, block the connection (to a specific port? 25/465/all?) for 10 minutes. Then I usually setup a "recidiv" filter. Another filter that matches on the 3rd recurrence (or any number) of the above filter. So after 9 attempts (3x 10min ban) (in this instance) I ban again for Y hours. In my production environment I usually have: 1st Filter: 10 min after 10 fail 2nd Filter: 1 hour after 10 recurrences of 1st. 3rd Filter: 30 day ban. 7 occurrences of 2nd (Optional) Usually when a paying user makes it to the 2nd filter, we usually get a call, tell them to check their password, and we unban. Depending on your user-base change timings to suit. (to give you an idea, we have around ~200 users) After 2 years of setting this up, I've never had a client make it to the 3rd filter. Half the time then end up calling on the 1st filter. Hope that sheds some light. Tim
