WJCarpenter wrote:
Is there any option available for me to help inhibit/prevent brute-force login attempts?
I (and many others) use fail2ban. It works outside of dovecot, et al, by tailing your log files. When it finds a configurable
Just to document that solution. This watches postfix AND dovecot logs since I found botnets slowly trying both alternately.
Create filter.d/mail.conf
>>>>>>>>>>> [Definition]
Option: failregex
Notes.: regex to match the password failures messages in the logfile. The
host must be matched by a group named "host". The tag
"<HOST>" can
be used for standard IP/hostname matching and is only an
alias for
(?:::f{4,6}:)?(?P<host>\S+)
Values: TEXT
Match:
Mar 2 15:07:09 mail1 dovecot: auth(default):
digest-md5(blah@asdf.com,212.183.136.194): password mismatch
Feb 26 19:32:52 mail1 dovecot: auth-worker(default):
sql(blah@asdf.com,212.227.250.38): unknown user
Mar 2 14:45:16 mail1 postfix/smtpd[27401]: warning:
c70-165.i07-18.onvol.net[92.251.70.165]: SASL PLAIN authentication failed:
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$ failregex = dovecot: auth.*\(.*,<HOST>\): (unknown user|password mismatch)$
Option: ignoreregex
Notes.: regex to ignore. If this regex matches, the line is ignored.
Values: TEXT
ignoreregex =
>>>>>>>>>>>>
Then in jail.conf add lines like:
[mail-iptables]
enabled = true filter = mail action = iptables-multiport-log[name=mail, port="smtp,smtps,submission,imap,imaps,pop3,pop3s", protocol=tcp] sendmail-whois[name=mail, dest=postmaster@yourdomain.com, sender=fail2ban@yourdomain.com] logpath = /var/log/mail.log bantime = 3600
Hope this helps
Ed W