[Dovecot] Fail2Ban and the Dovecot log
    Lou Duchez 
    lou at paprikash.com
       
    Tue May 12 11:32:06 EEST 2009
    
    
  
> Maybe there could be a page in the dovecot wiki about Fail2Ban?  A 
> definitive Dovecot / Fail2ban resource would be useful.  (If nobody 
> else creates one in a week, perhaps I will.  But I have to perfect my 
> Fail2banning first ...)
I couldn't figure out how to add new pages to wiki.dovecot.org, but here 
is what I have come up with for an easy Fail2ban recipe:
---
Configuring Fail2Ban with Dovecot
1)   Make sure your dovecot "log_path" string is empty, in other words 
allow syslog to do your Dovecot logging (into the default mail log).  
This ensures that the log entries will be in a format Fail2ban can work 
with.
2)   In your Fail2ban "jail.conf" file (most likely 
/etc/fail2ban/jail.conf), add entries like the following:
[dovecot-pop3]
enabled  = true
filter   = dovecot-pop3
action   = iptables[name=POP3, port=pop3, protocol=tcp]
logpath  = /var/log/maillog
maxretry = 20
bantime  = 1200
[dovecot-imap]
enabled  = true
filter   = dovecot-imap
action   = iptables[name=IMAP, port=imap, protocol=tcp]
logpath  = /var/log/maillog
maxretry = 20
bantime  = 1200
This arrangement is designed to trap POP3 and IMAP separately, and also 
to allow a high number of errors before temporarily "jailing" a user.  
This is to decrease the likelihood that a single user from a single IP 
will get all his coworkers (temporarily) banned over an honest mistake 
in configuration.
3)   Create a jail called dovecot-pop3.conf (most likely as 
/etc/fail2ban/filter.d/dovecot-pop3.conf):
[Definition]
failregex = (?: pop3-login: Authentication failure).*rip=(?P<host>\S*),.*
            (?: pop3-login: Aborted login).*rip=(?P<host>\S*),.*
            (?: pop3-login: Disconnected).*rip=(?P<host>\S*),.*
ignoreregex =
4)   Create a jail called dovecot-imap3.conf (most likely as 
/etc/fail2ban/filter.d/dovecot-imap.conf):
[Definition]
failregex = (?: imap-login: Authentication failure).*rip=(?P<host>\S*),.*
            (?: imap-login: Aborted login).*rip=(?P<host>\S*),.*
            (?: imap-login: Disconnected).*rip=(?P<host>\S*),.*
ignoreregex =
5)   Restart Fail2ban.
    
    
More information about the dovecot
mailing list