[Dovecot] Fail2ban and logging
Paul van der Vlis
paul at vandervlis.nl
Wed Jul 17 16:23:31 EEST 2013
Hello Mark (and others),
On 16-07-13 05:00, Mark Sapiro wrote:
> On 07/15/2013 09:09 AM, Paul van der Vlis wrote:
>>
>> Are you blocked when you login a few times with a wrong password?
>>
>> I expect your log will say something like "auth failed, 22 attempts in
>> 30 secs", and fail2ban will see that as 1 authentications error, so will
>> not block you.
>
>
> I am blocked. The log says
>
> Jul 15 19:36:06 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1
> attempts in 2 secs): user=<mark>, method=APOP, rip=98.248.186.228,
> lip=72.52.113.16, TLS, session=<cvam1pfhLwBi+Lrk>
>
> Jul 15 19:36:16 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1
> attempts in 6 secs): user=<mark>, method=APOP, rip=98.248.186.228,
> lip=72.52.113.16, TLS, session=<C3H81pfhMABi+Lrk>
>
> Jul 15 19:36:29 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1
> attempts in 10 secs): user=<mark>, method=APOP, rip=98.248.186.228,
> lip=72.52.113.16, TLS, session=<YEaR15fhNQBi+Lrk>
>
> Jul 15 19:36:49 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1
> attempts in 17 secs): user=<mark>, method=APOP, rip=98.248.186.228,
> lip=72.52.113.16, TLS, session=<hN1T2JfhNgBi+Lrk>
>
> Jul 15 19:37:09 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1
> attempts in 17 secs): user=<mark>, method=APOP, rip=98.248.186.228,
> lip=72.52.113.16, TLS, session=<jqqE2ZfhOwBi+Lrk>
>
>
> The difference may be that I am connecting to pop3s, port 995 with SSL,
> not port 110 with STARTTLS.
What wonders me is that every attempt is logged. With me the attemps are
counted together. I think it's not very important which port or
protocol is used.
With regards,
Paul van der Vlis.
--
Paul van der Vlis Linux systeembeheer, Groningen
http://www.vandervlis.nl/
More information about the dovecot
mailing list