On 05/06/2009, at 4:19 PM, James Brown wrote:

Thanks to Curtis and others who replied.

I managed to block the IP at our Firewall (learnt a few quirky
things about Astaro Security Gateway on the way!)

In order to automate the process, Fail2Ban has been suggested. I
know this is getting a bit off topic, but has anyone installed in
Mac OS X 10.5.7? There is a how-to for 10.4 ( HOWTO Mac OS X Server
(10.4) - Fail2ban )- does this work unchanged in 10.5?

Anyone managed to get Fail2Ban working on Leopard with Dovecot 1.2
RC4?

I'll answer my own question! There is a OS X Installer file at:

LSA Mac OS X Ported and Developed Software | LSA Information
Technology | University of Michigan

Any regex experts out there that can help me set up Fail2Ban to stop
this?

Jun 5 11:48:20 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<audrey>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9 Jun 5 11:48:24 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<august>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9 Jun 5 11:48:24 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<autumn>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9 Jun 5 11:48:25 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<austin>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9 Jun 5 11:48:27 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<audrey>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9 Jun 5 11:48:28 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<autumn>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9 Jun 5 11:48:30 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<august>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9 Jun 5 11:48:31 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<autumn>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9

Many thanks,

James.