Brute Force Monitor chokes on distributed IMAP attack

zmippie

Verified User
Joined
Apr 19, 2015
Messages
161
We're seeing hundreds of "New Message: Brute-Force Attack detected in service log on User(s) [non-existent username here]" messages coming from DirectAdmin in the past few weeks. What the BFM picks up are failed IMAP connection attempts (Dovecot). It's getting a little annoying, because of the many non-existent email addresses that are being targeted.

This is clearly a distributed attack (hundreds of different IP addresses) with very low interval rate, so CSF LFD won't pick it up, but the BFM does. It wouldn't really help to block IP's though. What would help, is there was a way in Dovecot to just ignore failed login attempts on non-existent users. I'd be happy to add these addresses manually, if needed, because it's less than a dozen.
I've Googled the subject until I'm seeing cross-eyed, but I can't seem to find a solution. Does anyone here have an idea? Muchos gracias in advance.
 
Back
Top