[Dovecot] Fail2Ban and the Dovecot log

Lou Duchez lou at paprikash.com
Tue May 12 21:45:44 EEST 2009 

Lou Duchez wrote:
> Ed W wrote:
>> Lou Duchez wrote:
>>> This arrangement is designed to trap POP3 and IMAP separately, and 
>>> also to allow a high number of errors before temporarily "jailing" a 
>>> user.  This is to decrease the likelihood that a single user from a 
>>> single IP will get all his coworkers (temporarily) banned over an 
>>> honest mistake in configuration. 
>>
>>
>> I have noticed recent breaking attempts which appear to be a slow 
>> coordinated botnet using multiple IPs and trying a combination of 
>> SMTP + POP + IMAP (can't remember if it did both of the later or just 
>> POP?).
>> As a result I tried to combine all three into a single test.  
>> Actually I did the wrong thing, but if you look through my previous 
>> posts you can see someone  (Bill?) correct me and post the correct 
>> config for this
>>
>> I would recommend you be aware of this - in my case I was seeing less 
>> than a few attempts from a given IP in a 10 min period, but lots of 
>> what appeared to be coordinated attempts at the server level. (eg 
>> some servers were only trying a few logins per day, but across enough 
>> IP addresses this was a fairly rapidly filling the logs)
>>
>> Good luck
>>
>> Ed W
>>
>
> Thanks for the heads-up!  Okay then, perhaps the best solution is to 
> make use of the "ignoreip" setting in jail.conf to protect known IP 
> addresses, something like this:

(snip)

Or even smarter: create a single filter file called smtppop3imap.conf, 
and use that same filter for SMTP, POP3, and IMAP.  Here's what the 
filter would look like:

[Definition]

failregex = : warning: [-._\w]+\[<HOST>\]: SASL 
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
            (?: pop3-login|imap-login): (?:Authentication 
failure|Aborted login \(auth failed|Disconnected \(auth 
failed).*rip=(?P<host>\S*),.*

ignoreregex =


The first regex will cover SMTP authentication errors generated by 
Postfix.  The second regex is for Dovecot and authentication errors with 
POP3 and IMAP.

Sorry to keep posting iterative improvements; every time I think I'm 
done, I come up with something better (and perhaps worth sharing).

More information about the dovecot mailing list