[Dovecot] Account lockout option?

Ed W lists at wildgooses.com
Fri Mar 20 00:22:45 EET 2009


Bill Landry wrote:
> Ed W wrote:
>
>   
>> failregex = : warning: [-._\w]+\[<HOST>\]: SASL
>> (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$
>> failregex = dovecot: auth.*\(.*,<HOST>\): (unknown user|password mismatch)$
>>     
>
> Ed, have you found that both failregex lines are actually being used
> here, as in my experience, only the first failregex line is used?
>   

Oh!  You mean did I actually test this stuff before assuming it was all 
working perfectly

(shuffling of feet...)

Well, ok, perhaps it doesn't...

Looking at the config files it would appear that proftpd.conf and 
sshd.conf set use a single "failregex=" line and then put multiple 
regexps on each following line.  I guess this is the correct way to do it...

The benefit of only using one .conf file is that if some cheeky scammer 
is alternately trying your smtp, pop, imap for a breakin then it takes 
more attempts to snag them

The current attacks against my server are very slow attacks from a 
distributed botnet and fail2ban is hardly touching them.  I see dozens 
of IPs trying at no more than one per minute and it would appear they 
swap between smtp and pop ports (I see the same from any given IP).

Some IPs seem much more common and fail2ban is occasionally snagging an 
IP which spews a bit faster, but sometimes each IP will try only once or 
twice a day.

Bit of a bugger to stop really...

Ed W


More information about the dovecot mailing list