[Dovecot] Account lockout option?

[Bill Landry]

Ed W wrote:
> Bill Landry wrote:
>> Ed W wrote:
>>
>>  
>>> failregex = : warning: [-._\w]+\[<HOST>\]: SASL
>>> (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$
>>> failregex = dovecot: auth.*\(.*,<HOST>\): (unknown user|password
>>> mismatch)$
>>>     
>>
>> Ed, have you found that both failregex lines are actually being used
>> here, as in my experience, only the first failregex line is used?
>>   
> 
> Oh!  You mean did I actually test this stuff before assuming it was all
> working perfectly
> 
> (shuffling of feet...)
> 
> Well, ok, perhaps it doesn't...
> 
> Looking at the config files it would appear that proftpd.conf and
> sshd.conf set use a single "failregex=" line and then put multiple
> regexps on each following line.  I guess this is the correct way to do
> it...
> 
> The benefit of only using one .conf file is that if some cheeky scammer
> is alternately trying your smtp, pop, imap for a breakin then it takes
> more attempts to snag them
> 
> The current attacks against my server are very slow attacks from a
> distributed botnet and fail2ban is hardly touching them.  I see dozens
> of IPs trying at no more than one per minute and it would appear they
> swap between smtp and pop ports (I see the same from any given IP).
> 
> Some IPs seem much more common and fail2ban is occasionally snagging an
> IP which spews a bit faster, but sometimes each IP will try only once or
> twice a day.
> 
> Bit of a bugger to stop really...

What is your "maxretry =" set to for your dovecot jail.conf entry, as
you did not show it if your initial email?  If they are trying once per
minute (as you stated above), and you have, for example, your "maxretry
= 5", then after 5 failed attempts (in your scenario, 5 minutes), they
will be locked out for 3600 seconds (1 hour).  And if they keep trying,
they will stay blocked until there is at least 1 hour between attempts.

Fail2ban is awesome, I have it set to monitor all of my running services.

Bill