[Dovecot] IP Tables block for POP3 attacks with Dovecot

Sean Kamath kamath at geekoids.com
Sun Apr 8 22:08:51 EEST 2007

On Apr 8, 2007, at 9:20 AM, Pete Dubler wrote:

> Has anyone implemented a script to block IPs which are attacking on  
> POP3 ports using dovecot logs to indicate repetitive failed login  
> attempts?
> sshblack does this nicely for ssh (port 22) attacks by monitoring  
> the /var/log/secure file.  I am considering rewriting this to POP3  
> port (110), but if it has already been done, I sure don't need the  
> practice.

Gotta love PF on OpenBSD (and FreeBSD).  It was a simple addition to  
the pass rule:

pass in quick on $ext_if proto tcp from any to $imaphost port \
      $imap_tcp_bf_svcs flags S/SA keep state  (max-src-conn 25, \
      max-src-conn-rate 10/1, overload <my-imap-bf> flush global) \
      label "$dstaddr:$dstport:$proto"

This limits a host to 25 connections, 10 per second.  If they exceed  
either, they're dumped into the my-imap-bf table, which is blocked  
earlier in the file with a

block quick from <my-imap-bf>


I used the values I did because I had some 600 connection in 40 seconds.


More information about the dovecot mailing list