[Dovecot] fail2ban

Noel Butler noel.butler at ausics.net
Sat Oct 5 06:09:01 EEST 2013


On Fri, 2013-10-04 at 15:47 +1000, Nick Edwards wrote:
> For dovecot 2.1
> 
> as per wiki2,  is this still valid?  noticed a problem before and saw
> it does seem to be triggering, I use:
> 

looks out dated

> filter.d/dovecot.conf

That'll never work, you need to change

> [Definition]
> failregex = (?: pop3-login|imap-login): (?:Authentication
to

failregex = (?: pop3-login|imap-login): .*(?:Authentication
                                        ^^

BUT, then, with the rest of your regex, it will only partly match
because its looking for ", something" like " ,TLS" at the end  which
wont appear on failed imap/pop3 logins that dont use TLS, etc, so any
failed attempts using TLs, will be found, if they are not using it, they
will be missed (most miscreants likely wont be using it anyway)

I am NO python expert,  in fact, I know less than less about python, so
you'll best need to wait for someone who knows the answer, or ask on
fail2ban list, on how you can change that to match both, by changing
the last bit to
    \(auth failed).*rip=(?P<host>\S*) <some variable here to match
on ,TLS or nothing at all>

in meantime, you could repeat your failregex, like

failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|
Aborted login \(auth failed|Aborted login \(tried to use disabled|
Disconnected \(auth failed).*rip=(?P<host>\S*),.*
    (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted
login \(auth failed|Aborted login \(tried to use disabled|Disconnected
\(auth failed).*rip=(?P<host>\S*)


I think thats horrible, messy, yukky, but it likely might work :)  at
least until you find a better answer, there are some fail2ban fanbois on
this list, but as its the weekend, you may need to be patient.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://dovecot.org/pipermail/dovecot/attachments/20131005/d34b1689/attachment.bin>


More information about the dovecot mailing list