[Dovecot] Fail2ban and logging

Mark Sapiro mark at msapiro.net
Tue Jul 16 06:00:14 EEST 2013


On 07/15/2013 09:09 AM, Paul van der Vlis wrote:
> 
> Are you blocked when you login a few times with a wrong password?
> 
> I expect your log will say something like "auth failed, 22 attempts in
> 30 secs", and fail2ban will see that as 1 authentications error, so will
> not block you.


I am blocked. The log says

Jul 15 19:36:06 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1
attempts in 2 secs): user=<mark>, method=APOP, rip=98.248.186.228,
lip=72.52.113.16, TLS, session=<cvam1pfhLwBi+Lrk>

Jul 15 19:36:16 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1
attempts in 6 secs): user=<mark>, method=APOP, rip=98.248.186.228,
lip=72.52.113.16, TLS, session=<C3H81pfhMABi+Lrk>

Jul 15 19:36:29 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1
attempts in 10 secs): user=<mark>, method=APOP, rip=98.248.186.228,
lip=72.52.113.16, TLS, session=<YEaR15fhNQBi+Lrk>

Jul 15 19:36:49 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1
attempts in 17 secs): user=<mark>, method=APOP, rip=98.248.186.228,
lip=72.52.113.16, TLS, session=<hN1T2JfhNgBi+Lrk>

Jul 15 19:37:09 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1
attempts in 17 secs): user=<mark>, method=APOP, rip=98.248.186.228,
lip=72.52.113.16, TLS, session=<jqqE2ZfhOwBi+Lrk>


The difference may be that I am connecting to pop3s, port 995 with SSL,
not port 110 with STARTTLS.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


More information about the dovecot mailing list