[Dovecot] login processes from attacks staying for hours

Kai Schaetzl maillists at conactive.com
Wed Jul 23 18:08:07 EEST 2008


Charles Marcus wrote on Wed, 23 Jul 2008 10:30:30 -0400:

> The best answer is to use a tool made for this kind of job, like fail2ban.

I found a few fail2ban definitions on the web, but all seem to be either 
very outdated or plain wrong for RHEL/CentOS. I've come so far as to this 
with the regex for dovecot on CentOS 5 (scanning /var/log/secure). Do you 
think that's correct?

failregex = dovecot-auth: pam_unix(dovecot:auth): authentication failure; .* 
rhost=<HOST>$

log line to be matched:
Jul 23 16:42:26 chacha dovecot-auth: pam_unix(dovecot:auth): authentication 
failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:127.0.0.1


Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com





More information about the dovecot mailing list