[Dovecot] Fail2Ban and the Dovecot log

Lou Duchez lou at paprikash.com
Tue May 12 21:13:27 EEST 2009 

Ed W wrote:
> Lou Duchez wrote:
>> This arrangement is designed to trap POP3 and IMAP separately, and 
>> also to allow a high number of errors before temporarily "jailing" a 
>> user.  This is to decrease the likelihood that a single user from a 
>> single IP will get all his coworkers (temporarily) banned over an 
>> honest mistake in configuration. 
>
>
> I have noticed recent breaking attempts which appear to be a slow 
> coordinated botnet using multiple IPs and trying a combination of SMTP 
> + POP + IMAP (can't remember if it did both of the later or just POP?).
> As a result I tried to combine all three into a single test.  Actually 
> I did the wrong thing, but if you look through my previous posts you 
> can see someone  (Bill?) correct me and post the correct config for this
>
> I would recommend you be aware of this - in my case I was seeing less 
> than a few attempts from a given IP in a 10 min period, but lots of 
> what appeared to be coordinated attempts at the server level. (eg some 
> servers were only trying a few logins per day, but across enough IP 
> addresses this was a fairly rapidly filling the logs)
>
> Good luck
>
> Ed W
>

Thanks for the heads-up!  Okay then, perhaps the best solution is to 
make use of the "ignoreip" setting in jail.conf to protect known IP 
addresses, something like this:

[sasl-iptables]
enabled  = true
backend  = polling
filter   = sasl
action   = iptables[name=sasl, port=smtp, protocol=tcp]
logpath  = /var/log/maillog
ignoreip = 192.168.1.0/24 123.456.543.210/28 321.654.123.456
maxretry = 2
findtime=1200
bantime  = 1200

[dovecot-pop3]
enabled  = true
filter   = dovecot-pop3
action   = iptables[name=POP3, port=pop3, protocol=tcp]
logpath  = /var/log/maillog
ignoreip = 192.168.1.0/24 123.456.543.210/28 321.654.123.456
maxretry = 2
findtime=1200
bantime  = 1200

[dovecot-imap]
enabled  = true
filter   = dovecot-imap
action   = iptables[name=IMAP, port=imap, protocol=tcp]
logpath  = /var/log/maillog
ignoreip = 192.168.1.0/24 123.456.543.210/28 321.654.123.456
maxretry = 2
findtime=1200
bantime  = 1200

Note that SMTP, POP3, and IMAP are all looking at the same log file, 
they all have the same ban parameters (more aggressive than previously 
proposed), and they all ignore the same IP ranges (in this case a local 
subnet, a range of public IPs, and one additional public IP).  Then in 
keeping with this, all three filter files (sasl.conf, dovecot-pop3.conf, 
and dovecot-imap.conf) would have identical configurations:


[Definition]

failregex = : warning: [-._\w]+\[<HOST>\]: SASL 
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
            (?: pop3-login: Authentication failure).*rip=(?P<host>\S*),.*
            (?: pop3-login: Aborted login \(auth 
failed).*rip=(?P<host>\S*),.*
            (?: pop3-login: Disconnected \(auth 
failed).*rip=(?P<host>\S*),.*
            (?: imap-login: Authentication failure).*rip=(?P<host>\S*),.*
            (?: imap-login: Aborted login \(auth 
failed).*rip=(?P<host>\S*),.*
            (?: imap-login: Disconnected \(auth 
failed).*rip=(?P<host>\S*),.*

ignoreregex =


So any failure at any of the three protocols (SMTP, POP3, IMAP) is 
considered a "strike" by all three, and they should all ban the same 
guys at the same time.  This is as yet untested, but seems like it 
should be pretty sound.

More information about the dovecot mailing list