[Dovecot] Fail2Ban and the Dovecot log
Lou Duchez
lou at paprikash.com
Tue May 12 22:10:17 EEST 2009
Ed W wrote:
> Lou Duchez wrote:
>> So any failure at any of the three protocols (SMTP, POP3, IMAP) is
>> considered a "strike" by all three, and they should all ban the same
>> guys at the same time. This is as yet untested, but seems like it
>> should be pretty sound.
>
>
> I think you only need one service and you can use the iptables-multi
> (or something similar) to block all the ports if you get a hit?
>
> Ed W
>
!!!
Just when I think I've achieved ultimate pefection on this, someone
comes along with a great idea. Thanks!
So I guess we take out the "sasl-iptables" part of jail.conf and replace
it with:
[smtppop3imap]
enabled = true
filter = smtppop3imap
action = iptables-multiport[name=smtppop3imap, port="smtp,pop3,imap",
protocol=tcp]
logpath = /var/log/maillog
ignoreip = 192.168.1.0/24 123.123.123.123/27 234.234.234.234
maxretry = 2
findtime = 1200
bantime = 1200
smtppop3imap.conf is as previously described:
[Definition]
failregex = : warning: [-._\w]+\[<HOST>\]: SASL
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
(?: pop3-login|imap-login): (?:Authentication
failure|Aborted login \(auth failed|Disconnected \(auth
failed).*rip=(?P<host>\S*),.*
ignoreregex =
More information about the dovecot
mailing list