I've installed fail2ban, it seems to be working as it identified my failed test logins, BUT, my question is:
what can I do when I see same invalid name trying to login to dovecot, different IP each time, how can I say block each IP as used by this name ? or it that a bad idea ?
I can see two persistent attempts as so:
I don't have such user 'ignacio' or 'julian'
# grep ignacio.munoz /var/log/dovecot.log | wc 178 3436 35624 # grep ignacio.munoz /var/log/dovecot.log | grep 'auth fail' | wc 178 3436 35624
# grep julian /var/log/dovecot.log | wc 178 3432 34321 # grep julian /var/log/dovecot.log | grep 'auth fail' | wc 178 3432 34321
last 6 tries, sometimes have just : <ignacio.munoz>, sometimes, with tld
Dec 22 17:00:33 imap-login: Info: Disconnected (auth failed, 1 attempts in 8 secs): user=<ignacio.munoz@aaa.com>, method=PLAIN, rip=157.122.183.218, lip=163.47.110.6, TLS, session=<Z4JniOdgkgCderfa> Dec 22 17:01:06 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<ignacio.munoz>, method=PLAIN, rip=60.172.162.2, lip=163.47.110.6, TLS, session=<CsdriudgWAA8rKIC> Dec 22 18:58:26 imap-login: Info: Disconnected (auth failed, 1 attempts in 10 secs): user=<ignacio.munoz@aaa.com>, method=PLAIN, rip=60.30.224.189, lip=163.47.110.6, TLS: Disconnected, session=<kvLWLelg0QA8HuC9> Dec 22 18:58:59 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<ignacio.munoz>, method=PLAIN, rip=220.164.2.138, lip=163.47.110.6, TLS: Disconnected, session=<T7T5L+lgRADcpAKK> Dec 22 19:30:28 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<ignacio.munoz@aaa.com>, method=PLAIN, rip=113.8.194.3, lip=163.47.110.6, TLS, session=<jfSgoOlgswBxCMID> Dec 22 19:31:09 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<ignacio.munoz>, method=PLAIN, rip=58.210.119.226, lip=163.47.110.6, TLS, session=<moAVo+lg8gA60nfi>
-- Voytek