Blocking dovecot (pop3) logins

Hi,

I got hammered today from thousands of entries like this:

Feb 19 15:40:23 servername pop3-login: Aborted login [::ffff:201.238.200.11]

I had to put that IP into my blacklist on the firewall to get it to stop, but about 3-4 requests per second on my pop server.

I use dovecot as the pop/imap server.

In the blockhosts file, I see there's an entry like:

# "POP-Fail": re.compile(r"""ipop3d\[(?P<pid>\d+)\]: Login failed.* \[(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]"""),

but I'm not sure howto make my own rule for the entry above.

How can I make the dovecot "pop3-login:" command get recognised by blockhosts?

PS. the dovecot I use is from a base install of SL4.4 (RHEL 4 U4) with only a couple of options modified in the dovecot conf. I'm not even sure I can run this through xinetd or that it supports tcp wrappers. Has anyone got dovecot working with blockhosts before?

Thanks.

Michael.

here's the regex

On the topic of whether dovecot uses TCP_WRAPPERS, you may have to do some testing or look at the source code.

On the question of how to match above line, here's the regular expression to use:

    "Dovecot-Fail": re.compile(r"""pop3-login: Aborted login \[(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]"""),

Thanks, I'll give it a go now...

Thanks for this ac.. I also found this on dovecot wiki:

http://wiki.dovecot.org/InetdInstall

which enables it to run through inetd, where I'm pretty sure will make the blockhosts on that work.

Michael.

added to blockhosts 1.1

In anticipation that this will work, this rule is now available in the blockhosts 1.1 or later versions.