[Dovecot] Fail2Ban and the Dovecot log

Lou Duchez lou at paprikash.com
Tue May 12 11:32:06 EEST 2009 

> Maybe there could be a page in the dovecot wiki about Fail2Ban?  A 
> definitive Dovecot / Fail2ban resource would be useful.  (If nobody 
> else creates one in a week, perhaps I will.  But I have to perfect my 
> Fail2banning first ...)

I couldn't figure out how to add new pages to wiki.dovecot.org, but here 
is what I have come up with for an easy Fail2ban recipe:

---

Configuring Fail2Ban with Dovecot


1)   Make sure your dovecot "log_path" string is empty, in other words 
allow syslog to do your Dovecot logging (into the default mail log).  
This ensures that the log entries will be in a format Fail2ban can work 
with.


2)   In your Fail2ban "jail.conf" file (most likely 
/etc/fail2ban/jail.conf), add entries like the following:

[dovecot-pop3]
enabled  = true
filter   = dovecot-pop3
action   = iptables[name=POP3, port=pop3, protocol=tcp]
logpath  = /var/log/maillog
maxretry = 20
bantime  = 1200

[dovecot-imap]
enabled  = true
filter   = dovecot-imap
action   = iptables[name=IMAP, port=imap, protocol=tcp]
logpath  = /var/log/maillog
maxretry = 20
bantime  = 1200

This arrangement is designed to trap POP3 and IMAP separately, and also 
to allow a high number of errors before temporarily "jailing" a user.  
This is to decrease the likelihood that a single user from a single IP 
will get all his coworkers (temporarily) banned over an honest mistake 
in configuration.


3)   Create a jail called dovecot-pop3.conf (most likely as 
/etc/fail2ban/filter.d/dovecot-pop3.conf):

[Definition]

failregex = (?: pop3-login: Authentication failure).*rip=(?P<host>\S*),.*
            (?: pop3-login: Aborted login).*rip=(?P<host>\S*),.*
            (?: pop3-login: Disconnected).*rip=(?P<host>\S*),.*

ignoreregex =


4)   Create a jail called dovecot-imap3.conf (most likely as 
/etc/fail2ban/filter.d/dovecot-imap.conf):

[Definition]

failregex = (?: imap-login: Authentication failure).*rip=(?P<host>\S*),.*
            (?: imap-login: Aborted login).*rip=(?P<host>\S*),.*
            (?: imap-login: Disconnected).*rip=(?P<host>\S*),.*

ignoreregex =


5)   Restart Fail2ban.

More information about the dovecot mailing list