[Dovecot] Fail2ban
Mark Sapiro
mark at msapiro.net
Fri Jun 11 01:04:30 EEST 2010
On 11:59 AM, Jerrale Gayle wrote:
> I have fail2ban working for EVERYTHING else except dovecot. I have tried
> using my own custom regex in conjunction with the regex on the
> dovecot.org site. Neither are picked up by fail2ban and I'm trying to
> use an imminent attack agaist dovecot, going on now, to my advantage to
> see when I get the right regexp. Here are my current ones:
>
> failregex = .*dovecot: (?:pop3-login|imap-login):
> (?:Disconnected|Aborted login) \((?:auth failed, .* attempts|no auth
> attempts)\):.*rip=<HOST>,.* <<< this is my custom
There is an extra space following "(?:Disconnected|Aborted login)" in
the above. There should be only one space, not two.
Note that fail2ban comes with a fail2ban-regex command for testing
regexps against logs or log lines.
> (?: pop3-login|imap-login): (?:Authentication
> failure|Aborted login \(auth failed|Aborted login \(tried to use
> disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* <<< from
> dovecot.org
> .*warning:.\S*\[(?P<host>)\]:
> SASL.(?:PLAIN|LOGIN).authentication failed:.*
>
> Here is the current attack:
>
> Jun 10 17:18:10 mail dovecot: pop3-login: Disconnected (auth failed, 1
> attempts): user=<rahul>, method=PLAIN, rip=113.12.82.71, lip=173.50.101.12
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the dovecot
mailing list