[Dovecot] Fail2ban and logging

Paul van der Vlis paul at vandervlis.nl
Mon Jul 15 19:09:15 EEST 2013


On 14-07-13 20:52, Mark Sapiro wrote:
> On 07/14/2013 03:26 AM, Paul van der Vlis wrote:
>> Hello,
>>
>> Dovecot is logging authentication failures this way:
>> ------
>> Jul 12 18:07:19 vps0 dovecot: imap-login: Disconnected (auth failed, 22
>> attempts in 172 secs): user=<info>, method=PLAIN, rip=82.95.148.152,
>> lip=1.2.3.4, TLS, session=<QylMqlLhVwBSX5SY>
>> ------
> 
> 
> Is there a reason why you are allowing PLAIN text login
> (disable_plaintext_auth = no)?

I use starttls, so it's no plaintext over the internet.

> I do not allow plaintext login and I get messages like:
> 
> Jul 12 16:03:27 sbh16 dovecot: pop3-login: Disconnected (tried to use
> disallowed plaintext auth): user=<>, rip=219.84.103.232,
> lip=72.52.113.38, session=<RBK6hFjhggDbVGfo>
> 
> I also have
> 
> service auth {
>   unix_listener /var/spool/postfix/private/auth {
>     mode = 0666
>   }
> }
> 
> and for secure login failures I get messages like:
> 
> Jul 14 11:38:57 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1
> attempts in 2 secs): user=<gpc>, method=APOP, rip=68.183.193.239,
> lip=72.52.113.16, TLS, session=<8/ZeDn3hNwBEt8Hv>
> 
> and in fail2ban I have
> 
> failregex = Aborted login \(.*\): .*rip=<HOST>,
>             Disconnected \(tried to use disabled.*\): .*rip=<HOST>,
>             warning:.*\[<HOST>\]: SASL [^ ]+ authentication failed:
> 
> I'm running Dovecot 2.2.4, but the above hasn't changed for a long time.

Are you blocked when you login a few times with a wrong password?

I expect your log will say something like "auth failed, 22 attempts in
30 secs", and fail2ban will see that as 1 authentications error, so will
not block you.

With regards,
Paul van der Vlis.



-- 
Paul van der Vlis Linux systeembeheer, Groningen
http://www.vandervlis.nl/



More information about the dovecot mailing list