From: pedro@netsecpt.pt
Hi , i am having an issue with dovecot , in log files of imap inactivity lines have the word included "auth failed" , witch is not true , what happens next is that fail2ban is looking for that word too in log file of dovecot ,and when it finds it it bans my public ip address . Is there any change to change this behavior in dovecot , what i mean is to insert "auth failed" when in fact it is an authentication failed , and not use it as general for every thing in log file .
Putting aside the semantics that not supplying credentials before the timeout *is* an auth failure, I would think the best way to handle this is to change the pattern fail2ban triggers to be more specific about what it considers an auth failure. If this is a typical log entry you want to avoid an automatic ban
dovecot: imap-login: Disconnected: Inactivity (auth failed, 1attempts in 180 secs): user= ...
I would modify /etc/fail2ban/filter.d/dovecot.conf to limit it to 0-99sec like so
failregex = ...( in \d{1,2} secs)...Some BFD attempts will leak through but it avoids triggering on any inactivity >99s.
Joseph Tam jtam.home@gmail.com