[Dovecot] Fail2ban
Jerrale Gayle
jerralegayle at sheltoncomputers.com
Fri Jun 11 00:19:24 EEST 2010
I have fail2ban working for EVERYTHING else except dovecot. I have tried
using my own custom regex in conjunction with the regex on the
dovecot.org site. Neither are picked up by fail2ban and I'm trying to
use an imminent attack agaist dovecot, going on now, to my advantage to
see when I get the right regexp. Here are my current ones:
failregex = .*dovecot: (?:pop3-login|imap-login):
(?:Disconnected|Aborted login) \((?:auth failed, .* attempts|no auth
attempts)\):.*rip=<HOST>,.* <<< this is my custom
(?: pop3-login|imap-login): (?:Authentication
failure|Aborted login \(auth failed|Aborted login \(tried to use
disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* <<< from
dovecot.org
.*warning:.\S*\[(?P<host>)\]:
SASL.(?:PLAIN|LOGIN).authentication failed:.*
Here is the current attack:
Jun 10 17:18:10 mail dovecot: pop3-login: Disconnected (auth failed, 1
attempts): user=<rahul>, method=PLAIN, rip=113.12.82.71, lip=173.50.101.12
Can someone help me out a little?
Thanks,
Jerrale G
More information about the dovecot
mailing list