# Blocking failed IMAP login attempts with DenyHosts

## Nacon

Hello,

I've just finished the installation and configuration of my Postfix/Dovecot mail setup and it's working without problems so far.

In addition to the basic encryption of the IMAPS protocol I would now like to limit the login attempts, similar what DenyHosts does for the ssh service, in order to prevent brute force attacks.

So, my idea was to use the already running DenyHosts and create a regex statement.

The following extract from the logfile shows the failed attempts (first line imap: trying to read mails, second line smtp: trying to send mails):

 *Quote:*   

>  dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=NAME rhost=xx.xx.xxx.xx  user=NAME
> 
>  dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=NAME rhost=  user=NAME

 

So my first problem is that the rhost in the second line dosn't contain a IP address (why?).

Anyway, I tried to create a regex for the first line (example here: http://denyhosts.sourceforge.net/faq.html#userdef_regex)

 *Quote:*   

> USERDEF_FAILED_ENTRY_REGEX=dovecot.*authentication failure.*rhost=(?P<host>.*)

 

Isn't working. I don't know why ..

The best part about it is, that I can't use iptables as alternative .. due to the virtualization method used.

So my question is, if it's possible (and advisable) to do this with DenyHosts or what you have done regarding this problem.

I'm very interested in your experiences.

Thanks.

----------

