[Dovecot] Fail2ban

Mark Sapiro mark at msapiro.net
Fri Jun 11 01:04:30 EEST 2010


On 11:59 AM, Jerrale Gayle wrote:
> I have fail2ban working for EVERYTHING else except dovecot. I have tried
> using my own custom regex in conjunction with the regex on the
> dovecot.org site. Neither are picked up by fail2ban and I'm trying to
> use an imminent attack agaist dovecot, going on now, to my advantage to
> see when I get the right regexp. Here are my current ones:
> 
> failregex = .*dovecot: (?:pop3-login|imap-login):
> (?:Disconnected|Aborted login)  \((?:auth failed, .* attempts|no auth
> attempts)\):.*rip=<HOST>,.* <<< this is my custom


There is an extra space following "(?:Disconnected|Aborted login)" in
the above. There should be only one space, not two.

Note that fail2ban comes with a fail2ban-regex command for testing
regexps against logs or log lines.


>             (?: pop3-login|imap-login): (?:Authentication
> failure|Aborted login \(auth failed|Aborted login \(tried to use
> disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* <<< from
> dovecot.org
>             .*warning:.\S*\[(?P<host>)\]:
> SASL.(?:PLAIN|LOGIN).authentication failed:.*
> 
> Here is the current attack:
> 
> Jun 10 17:18:10 mail dovecot: pop3-login: Disconnected (auth failed, 1
> attempts): user=<rahul>, method=PLAIN, rip=113.12.82.71, lip=173.50.101.12

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan



More information about the dovecot mailing list