[Dovecot] Fail2ban and logging

Mark Sapiro mark at msapiro.net
Sun Jul 14 21:52:32 EEST 2013


On 07/14/2013 03:26 AM, Paul van der Vlis wrote:
> Hello,
> 
> Dovecot is logging authentication failures this way:
> ------
> Jul 12 18:07:19 vps0 dovecot: imap-login: Disconnected (auth failed, 22
> attempts in 172 secs): user=<info>, method=PLAIN, rip=82.95.148.152,
> lip=1.2.3.4, TLS, session=<QylMqlLhVwBSX5SY>
> ------


Is there a reason why you are allowing PLAIN text login
(disable_plaintext_auth = no)?

I do not allow plaintext login and I get messages like:

Jul 12 16:03:27 sbh16 dovecot: pop3-login: Disconnected (tried to use
disallowed plaintext auth): user=<>, rip=219.84.103.232,
lip=72.52.113.38, session=<RBK6hFjhggDbVGfo>

I also have

service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
  }
}

and for secure login failures I get messages like:

Jul 14 11:38:57 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1
attempts in 2 secs): user=<gpc>, method=APOP, rip=68.183.193.239,
lip=72.52.113.16, TLS, session=<8/ZeDn3hNwBEt8Hv>

and in fail2ban I have

failregex = Aborted login \(.*\): .*rip=<HOST>,
            Disconnected \(tried to use disabled.*\): .*rip=<HOST>,
            warning:.*\[<HOST>\]: SASL [^ ]+ authentication failed:

I'm running Dovecot 2.2.4, but the above hasn't changed for a long time.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


More information about the dovecot mailing list