[Dovecot] Fail2Ban and the Dovecot log
Lou Duchez
lou at paprikash.com
Tue May 12 21:13:27 EEST 2009
Ed W wrote:
> Lou Duchez wrote:
>> This arrangement is designed to trap POP3 and IMAP separately, and
>> also to allow a high number of errors before temporarily "jailing" a
>> user. This is to decrease the likelihood that a single user from a
>> single IP will get all his coworkers (temporarily) banned over an
>> honest mistake in configuration.
>
>
> I have noticed recent breaking attempts which appear to be a slow
> coordinated botnet using multiple IPs and trying a combination of SMTP
> + POP + IMAP (can't remember if it did both of the later or just POP?).
> As a result I tried to combine all three into a single test. Actually
> I did the wrong thing, but if you look through my previous posts you
> can see someone (Bill?) correct me and post the correct config for this
>
> I would recommend you be aware of this - in my case I was seeing less
> than a few attempts from a given IP in a 10 min period, but lots of
> what appeared to be coordinated attempts at the server level. (eg some
> servers were only trying a few logins per day, but across enough IP
> addresses this was a fairly rapidly filling the logs)
>
> Good luck
>
> Ed W
>
Thanks for the heads-up! Okay then, perhaps the best solution is to
make use of the "ignoreip" setting in jail.conf to protect known IP
addresses, something like this:
[sasl-iptables]
enabled = true
backend = polling
filter = sasl
action = iptables[name=sasl, port=smtp, protocol=tcp]
logpath = /var/log/maillog
ignoreip = 192.168.1.0/24 123.456.543.210/28 321.654.123.456
maxretry = 2
findtime=1200
bantime = 1200
[dovecot-pop3]
enabled = true
filter = dovecot-pop3
action = iptables[name=POP3, port=pop3, protocol=tcp]
logpath = /var/log/maillog
ignoreip = 192.168.1.0/24 123.456.543.210/28 321.654.123.456
maxretry = 2
findtime=1200
bantime = 1200
[dovecot-imap]
enabled = true
filter = dovecot-imap
action = iptables[name=IMAP, port=imap, protocol=tcp]
logpath = /var/log/maillog
ignoreip = 192.168.1.0/24 123.456.543.210/28 321.654.123.456
maxretry = 2
findtime=1200
bantime = 1200
Note that SMTP, POP3, and IMAP are all looking at the same log file,
they all have the same ban parameters (more aggressive than previously
proposed), and they all ignore the same IP ranges (in this case a local
subnet, a range of public IPs, and one additional public IP). Then in
keeping with this, all three filter files (sasl.conf, dovecot-pop3.conf,
and dovecot-imap.conf) would have identical configurations:
[Definition]
failregex = : warning: [-._\w]+\[<HOST>\]: SASL
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
(?: pop3-login: Authentication failure).*rip=(?P<host>\S*),.*
(?: pop3-login: Aborted login \(auth
failed).*rip=(?P<host>\S*),.*
(?: pop3-login: Disconnected \(auth
failed).*rip=(?P<host>\S*),.*
(?: imap-login: Authentication failure).*rip=(?P<host>\S*),.*
(?: imap-login: Aborted login \(auth
failed).*rip=(?P<host>\S*),.*
(?: imap-login: Disconnected \(auth
failed).*rip=(?P<host>\S*),.*
ignoreregex =
So any failure at any of the three protocols (SMTP, POP3, IMAP) is
considered a "strike" by all three, and they should all ban the same
guys at the same time. This is as yet untested, but seems like it
should be pretty sound.
More information about the dovecot
mailing list