Charles,
I haven't tested it with IMAP so I'm not sure. I was going to play with that later. It could also be modified to ban failed SASL SMTP auths as well. Here is the line in my /etc/fail2ban/filter.d/dovecot.conf file that makes it work:
failregex = (?: Disconnected|Aborted login).*rip=(?:::f{4,6}:)?(?P<host>\S*),.*
I have to use the "Disconnected" AND "Aborted login" to pick up 100% of failed pop3's. For some reason, some attacks only show "Disconnected" in the logs while the others show as "Aborted login". If I try to do a failed pop3 auth myself, I show as "Disconnected" but the dictionary attack the other day showed as "Aborted login".
Rodman
----- Original Message ----- From: "Charles Marcus" CMarcus@Media-Brokers.com Cc: dovecot@dovecot.org Sent: Friday, June 26, 2009 8:57 AM Subject: Re: [Dovecot] Lots of pop3-logins
On 6/26/2009, Rodman Frowert (rodman@thefrowerts.com) wrote:
If anyone wants to see the fail2ban config file I am using for Dovecot, let me know...
Does it also work for IMAP ligins? I'd like to see it regardless... thanks!
--
Best regards,
Charles