[Dovecot] Under POP attack - now to prevent?
James Brown
jlbrown at bordo.com.au
Tue Jun 30 10:23:18 EEST 2009
On 05/06/2009, at 4:19 PM, James Brown wrote:
>
> Thanks to Curtis and others who replied.
>
> I managed to block the IP at our Firewall (learnt a few quirky
> things about Astaro Security Gateway on the way!)
>
> In order to automate the process, Fail2Ban has been suggested. I
> know this is getting a bit off topic, but has anyone installed in
> Mac OS X 10.5.7? There is a how-to for 10.4 ( HOWTO Mac OS X Server
> (10.4) - Fail2ban )- does this work unchanged in 10.5?
>
> Anyone managed to get Fail2Ban working on Leopard with Dovecot 1.2
> RC4?
I'll answer my own question! There is a OS X Installer file at:
LSA Mac OS X Ported and Developed Software | LSA Information
Technology | University of Michigan
Any regex experts out there that can help me set up Fail2Ban to stop
this?
Jun 5 11:48:20 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<audrey>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:24 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<august>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:24 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<autumn>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:25 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<austin>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:27 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<audrey>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:28 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<autumn>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:30 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<august>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:31 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<autumn>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Many thanks,
James.
More information about the dovecot
mailing list