Senseless brute force attacks on Dovecot

zmippie

Verified User
Joined
Apr 19, 2015
Messages
161
I'm seeing a large number of brute-force attacks on Dovecot with credentials for a domain that is indeed hosted on the server, but for which the MX records have been configured to point to Google's mailservers. In other words: anything e-mail related is not handled at this server, so the attacks make no sense at all. But I guess checking the MX records is asking too much from hackers that are just copy-pasting dumb scripts hoping to find the right login/password combination by brute forcing.

Anyway, I was thinking: is there a way to just block any Dovecot or Exim attempt on a certain domain/user? I've found this thread from 2013, but I'm not sure if it applies to my situation. Will Martynas' solution work in this case?
 
I guess not. Because the requests keep coming in, just your systems check and return errors. Unless you block the source IPs.
 
I guess not. Because the requests keep coming in, just your systems check and return errors. Unless you block the source IPs.

Blocking the source IPs would be impossible, because the attacks come from far and wide. But in fact, Martynas' solution, or actually the simplified version of Pat_Coed, does work. After adding the e-mail addresses to be denied to the .deny file, the attacks are being cut off before leaving a trace in the logs.
It would be nice if this would be possible on a per-domain basis, but for now, this works for me.
 
Back
Top