[Dovecot] Fail2Ban and the Dovecot log

Lou Duchez lou at paprikash.com
Tue May 12 22:10:17 EEST 2009


Ed W wrote:
> Lou Duchez wrote:
>> So any failure at any of the three protocols (SMTP, POP3, IMAP) is 
>> considered a "strike" by all three, and they should all ban the same 
>> guys at the same time.  This is as yet untested, but seems like it 
>> should be pretty sound.
>
>
> I think you only need one service and you can use the iptables-multi 
> (or something similar) to block all the ports if you get a hit?
>
> Ed W
>

!!!

Just when I think I've achieved ultimate pefection on this, someone 
comes along with a great idea.  Thanks!

So I guess we take out the "sasl-iptables" part of jail.conf and replace 
it with:

[smtppop3imap]
enabled  = true
filter   = smtppop3imap
action   = iptables-multiport[name=smtppop3imap, port="smtp,pop3,imap", 
protocol=tcp]
logpath  = /var/log/maillog
ignoreip = 192.168.1.0/24 123.123.123.123/27 234.234.234.234
maxretry = 2
findtime = 1200
bantime  = 1200


smtppop3imap.conf is as previously described:

[Definition]

failregex = : warning: [-._\w]+\[<HOST>\]: SASL 
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
            (?: pop3-login|imap-login): (?:Authentication 
failure|Aborted login \(auth failed|Disconnected \(auth 
failed).*rip=(?P<host>\S*),.*

ignoreregex =




More information about the dovecot mailing list