[Dovecot] Under POP attack - now to prevent?
Mark Sapiro
mark at msapiro.net
Tue Jun 30 18:31:53 EEST 2009
On Tue, Jun 30, 2009 at 05:23:18PM +1000, James Brown wrote:
>
> Any regex experts out there that can help me set up Fail2Ban to stop
> this?
>
> Jun 5 11:48:20 mail dovecot[2620]: pop3-login: Aborted login (auth
> failed, 1 attempts): user=<audrey>, method=PLAIN, rip=85.189.169.94,
> lip=192.168.1.9
[...]
Here's what I use which will get those and others.
[Definition]
failregex = Aborted login \(.*\): .*rip=<HOST>,
Disconnected \(tried to use disabled.*\): .*rip=<HOST>,
warning:.*\[<HOST>\]: SASL [^ ]+ authentication failed:
That goes in /etc/fail2ban/filter.d/dovecotlogin.local, and in
/etc/fail2ban/jail.local I have
[dovecot-local]
enabled = true
filter = dovecotlogin
action = iptables-allports[name=DOVECOT, protocol=all]
logpath = /var/log/maillog
--
Mark Sapiro <mark at msapiro net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the dovecot
mailing list