[Dovecot] Fail2Ban and the Dovecot log
Ed W
lists at wildgooses.com
Tue May 12 18:54:23 EEST 2009
Lou Duchez wrote:
> This arrangement is designed to trap POP3 and IMAP separately, and
> also to allow a high number of errors before temporarily "jailing" a
> user. This is to decrease the likelihood that a single user from a
> single IP will get all his coworkers (temporarily) banned over an
> honest mistake in configuration.
I have noticed recent breaking attempts which appear to be a slow
coordinated botnet using multiple IPs and trying a combination of SMTP +
POP + IMAP (can't remember if it did both of the later or just POP?).
As a result I tried to combine all three into a single test. Actually I
did the wrong thing, but if you look through my previous posts you can
see someone (Bill?) correct me and post the correct config for this
I would recommend you be aware of this - in my case I was seeing less
than a few attempts from a given IP in a 10 min period, but lots of what
appeared to be coordinated attempts at the server level. (eg some
servers were only trying a few logins per day, but across enough IP
addresses this was a fairly rapidly filling the logs)
Good luck
Ed W
More information about the dovecot
mailing list