IMAP attack underway

My Linode seems to be in the middle of fending off a bot-net attack using imap-login as the vector. The attacker is trying to log in as my dad (whose account was deleted several years ago after he died).

Here's a summary of my configuration:

  • POP3/POP3S are disabled (and blocked by the firewall);
  • IMAP is only accepted from localhost (for v4 & v6…I need this for a local apps…this is also enforced by the firewall);
  • IMAPS requires login authentication; and
  • LDA/LMTP use local-domain sockets (only accessible from localhost).

fail2ban(1) bans nodes after 1 IMAPS login failure in any 5-minute period… draconian I know… However, I only have 4 customers and I set up everyone's clients so I'm reasonably sure that any occurrences of an IMAPS login failure are from bogus login attempts.

Is there anything else anyone could suggest that I do?

Thanks in advance…

-- sw

2 Replies

The steps you've taken so far look to be the same things I'm finding when trying to research this a little more. Aside from Fail2Ban, I found another interesting open-source tool that could be helpful, Brutelock. I haven't tested this, but going off of their documentation materials, it looks promising. Based on this post I found online, the essential thing it does here is that it creates a separate iptables chain, then runs a daemon. There's a paid version, which I believe provides automated updates to the software.

@watrick --

Thanks for the info. I read the post you linked to but the "" domain is for sale. I found the GitHub repo for it and discovered that it hasn't been updated in 9 years.

From what the post you linked to described, it doesn't sound a whole lot different than fail2ban(1). Anyway, moot since BruteLock appears to be abandoned.

Thanks for taking the time to respond…

-- sw


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct