[Dovecot] login processes from attacks staying for hours

Bill Landry bill at inetmsg.com
Wed Jul 23 23:18:44 EEST 2008


Kai Schaetzl wrote:
> Charles Marcus wrote on Wed, 23 Jul 2008 10:30:30 -0400:
> 
>> The best answer is to use a tool made for this kind of job, like fail2ban.
> 
> I found a few fail2ban definitions on the web, but all seem to be either 
> very outdated or plain wrong for RHEL/CentOS. I've come so far as to this 
> with the regex for dovecot on CentOS 5 (scanning /var/log/secure). Do you 
> think that's correct?
> 
> failregex = dovecot-auth: pam_unix(dovecot:auth): authentication failure; .* 
> rhost=<HOST>$
> 
> log line to be matched:
> Jul 23 16:42:26 chacha dovecot-auth: pam_unix(dovecot:auth): authentication 
> failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:127.0.0.1
> 


Kai, you can test your regex using "fail2ban-regex".  For example:

fail2ban-regex /var/log/secure "dovecot-auth: pam_unix(dovecot:auth): 
authentication failure; .* rhost=<HOST>$"

However, that does not detect the log-line above.  Try something simpler 
like:

fail2ban-regex /var/log/secure "dovecot-auth.*pam_unix.*authentication 
failure.*rhost=<HOST>$"

Bill


More information about the dovecot mailing list