Install fail2ban:
wget http://sourceforge.net/projects/fail2ban/files/fail2ban-stable/fail2ban-0.8. 3/fail2ban-0.8.3.tar.bz2/download tar -xjvf fail2ban-0.8.3.tar.bz2 cd fail2ban-0.8.3 python setup.py install vi /etc/fail2ban/jail.conf Enable only the sections you need and do them one at a time. I have enabled SSH, ProFTP, Qmail* and Vpopmail* (* add sections as described below) Set your local networks and any other networks you consider 'safe'. You certainly don't want to block your own clients! ## example:: ignoreip = 127.0.0.1 192.245.12.0/24 207.182.32.0/19 204.27.149.0/24 Also change bantime, findtime, maxretry time as it suits you. If bantime = -1 is the same as never expire the IP ban. * additional sections for jail.conf [vpopmail] enabled = true port = pop3 filter = vpopmail action = iptables[name=pop3, port=pop3, protocol=tcp] sendmailwhois[name=pop3,dest=y...@email.domain, sender=em...@adr] logpath = /var/log/maillog maxretry = 3 bantime = -1 [qmail-iptables] enabled = true filter = qmail action = iptables[name=QMAIL, port=smtp, protocol=tcp] sendmail-whois[name=QMAIL, dest=y...@email.domain] logpath = /var/log/maillog maxretry = 3 bantime = -1 Save and close the jail.conf file. vi /etc/fail2ban/filter.d/vpopmail.conf (create new file) Paste this into the file: # Fail2Ban configuration file # # Author: Christoph Haas # Modified by: Ole Johansen - CDS # # $Revision: 510 $ # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = vchkpw-pop3: vpopmail user not found .*@:<HOST> # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = Save and close the file. Start the fail2ban by type: fail2ban-client start New chains to the iptables are created. Use iptables -L -n ,to show entries in the iptables I have not tested the changes, so I would like to get some feedback on this. B/R Ole J