[Dovecot] Lots of pop3-logins
Rodman Frowert
rodman at thefrowerts.com
Fri Jun 26 17:31:24 EEST 2009
Charles,
I haven't tested it with IMAP so I'm not sure. I was going to play with
that later. It could also be modified to ban failed SASL SMTP auths as
well. Here is the line in my /etc/fail2ban/filter.d/dovecot.conf file that
makes it work:
failregex = (?: Disconnected|Aborted
login).*rip=(?:::f{4,6}:)?(?P<host>\S*),.*
I have to use the "Disconnected" AND "Aborted login" to pick up 100% of
failed pop3's. For some reason, some attacks only show "Disconnected" in
the logs while the others show as "Aborted login". If I try to do a failed
pop3 auth myself, I show as "Disconnected" but the dictionary attack the
other day showed as "Aborted login".
Rodman
----- Original Message -----
From: "Charles Marcus" <CMarcus at Media-Brokers.com>
Cc: <dovecot at dovecot.org>
Sent: Friday, June 26, 2009 8:57 AM
Subject: Re: [Dovecot] Lots of pop3-logins
> On 6/26/2009, Rodman Frowert (rodman at thefrowerts.com) wrote:
>> If anyone wants to see the fail2ban config file I am using for Dovecot,
>> let me know...
>
> Does it also work for IMAP ligins? I'd like to see it regardless...
> thanks!
>
> --
>
> Best regards,
>
> Charles
More information about the dovecot
mailing list