The good news is I believe I got Weakforce running

1. curl -X GET http://127.0.0.1:8084/?command=ping -u wforce:ourpassword {"status":"ok"}[

2. after running the sample for loop: for a in {1..101}; do curl -X POST -H "Content-Type: application/json" --data '{"login":"ahu", "remote": "127.0.0.1", "pwhash":"1234'$a'", "success":"false"}' http://127.0.0.1:8084/?command=report -u wforce:ourpassword; done

The result is:

{"status":"ok"}{"status":"ok"}{"status":"ok"}{

3. So checking the stats:

curl -X POST -H "Content-Type: application/json" --data '{"ip":"127.0.0.1"}' http://127.0.0.1:8084/?command=getDBStats -u wforce:ourpassword

{"bl_expire": "", "bl_reason": "", "blacklisted": false, "ip": "127.0.0.1", "stats": {"OneHourDB": {"diffFailedPasswords": 93}}}

Notice the 93.

4. the reset works but I believe there's a bug in Getdbstats v2.0.0 where "blacklisted" is always shown: curl -X POST -H "Content-Type: application/json" --data '{"ip":"127.0.0.1"}' http://127.0.0.1:8084/?command=getDBStats -u wforce:ourpassword

{"bl_expire": "", "bl_reason": "", "blacklisted": false, "ip": "127.0.0.1", "stats": {"OneHourDB": {"diffFailedPasswords": 0}}}[

5. wforce -c Read configuration from '/usr/local/etc/wforce.conf' Connecting to 127.0.0.1:4004

stats() 101 reports, 0 allow-queries (0 denies)

The 3 big questions I have: a: how do I know IP's are being banned/rejected? Is there an alert creation or a way to see in the logs that the rules are in affect? b: since I installed via Git and ran "make" how to I get wforce --daemon to start on reboot? Is there a systemd file available? c: How do I create a lua policy that would catch these web dovecot login attempts?

Feb 27 08:19:53 ourserver auth[15085]: pam_unix(dovecot:auth): check pass; user unknown Feb 27 08:19:53 ourserver auth[15085]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= user@ourserver.ourdomain.edu rhost=177.72.0.158 Feb 27 08:20:35 ourserver auth[15085]: pam_unix(dovecot:auth): check pass; user unknown Feb 27 08:20:35 ourserver auth[15085]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user rhost=213.156.111.236 Feb 27 08:27:07 ourserver auth[16831]: pam_unix(dovecot:auth): check pass; user unknown Feb 27 08:27:07 ourserver auth[16831]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= nobody@ourserver.ourdomain.edu rhost=79.106.35.59 Feb 27 08:27:27 ourserver auth[16831]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=nobody rhost=95.38.212.65 user=nobody Feb 27 08:27:27 ourserver auth[16831]: pam_succeed_if(dovecot:auth): requirement "uid >= 1000" not met by user "nobody" Feb 27 08:31:12 ourserver auth[17875]: pam_unix(dovecot:auth): check pass; user unknown Feb 27 08:31:12 ourserver auth[17875]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= ouruser@ourserver.ourdomain.edu rhost=80.78.70.1 Feb 27 08:31:33 ourserver auth[17875]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=ouruser rhost=45.225.236.198 user=ouruser Feb 27 09:32:22 ourserver auth[32689]: pam_unix(dovecot:auth): check pass; user unknown Feb 27 09:32:22 ourserver auth[32689]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= nobody@ourserver.ourdomain.edu rhost=37.205.81.41 Feb 27 09:32:42 ourserver auth[32689]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=nobody rhost=201.148.100.198 user=nobody Feb 27 09:32:42 ourserver auth[32689]: pam_succeed_if(dovecot:auth): requirement "uid >= 1000" not met by user "nobody" Feb 27 09:44:09 ourserver auth[3271]: pam_unix(dovecot:auth): check pass; user unknown Feb 27 09:44:09 ourserver auth[3271]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= otheruser@ourserver.ourdomain.edu rhost=177.69.145.193 Feb 27 09:44:35 ourserver auth[3271]: pam_unix(dovecot:auth): check pass; user unknown Feb 27 09:44:35 ourserver auth[3271]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=otheruser rhost=175.143.51.221 Feb 27 09:47:32 ourserver auth[4048]: pam_unix(dovecot:auth): check pass; user unknown Feb 27 09:47:32 ourserver auth[4048]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= yetanotheruser@ourserver.ourdomain.edu rhost=162.245.81.231 Feb 27 09:47:56 ourserver auth[4048]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=yetanotheruser rhost=83.243.88.236 user=yetanotheruser Feb 27 20:44:41 ourserver auth[5828]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=ouruser rhost=166.171.184.200 user=ouruser