WJCarpenter wrote:
Is there any option available for me to help inhibit/prevent brute-force login attempts?
I (and many others) use fail2ban. It works outside of dovecot, et al, by tailing your log files. When it finds a configurable
Just to document that solution. This watches postfix AND dovecot logs since I found botnets slowly trying both alternately.
Create filter.d/mail.conf
>>>>>>>>>>> [Definition]
# Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # # Match: # Mar 2 15:07:09 mail1 dovecot: auth(default): digest-md5(blah@asdf.com,212.183.136.194): password mismatch # Feb 26 19:32:52 mail1 dovecot: auth-worker(default): sql(blah@asdf.com,212.227.250.38): unknown user # Mar 2 14:45:16 mail1 postfix/smtpd[27401]: warning: c70-165.i07-18.onvol.net[92.251.70.165]: SASL PLAIN authentication failed: # failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$ failregex = dovecot: auth.*\(.*,<HOST>\): (unknown user|password mismatch)$
# Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
>>>>>>>>>>>>
Then in jail.conf add lines like:
[mail-iptables]
enabled = true filter = mail action = iptables-multiport-log[name=mail, port="smtp,smtps,submission,imap,imaps,pop3,pop3s", protocol=tcp] sendmail-whois[name=mail, dest=postmaster@yourdomain.com, sender=fail2ban@yourdomain.com] logpath = /var/log/mail.log bantime = 3600
Hope this helps
Ed W