[Dovecot] Fail2ban

Mauricio Tavares raubvogel at gmail.com
Fri Jun 11 00:40:31 EEST 2010


On Thu, Jun 10, 2010 at 5:38 PM, fakessh <fakessh at fakessh.eu> wrote:
> hi dovecot network
>
> the principle of fail2ban is repeated for connections with the same login
> fail2ban does not work if the attack changes to login every time
> this type of attack is rather to find valid user accounts
>
>
> I may be wrong, I hope I too am a victim of this kind of attacks
>
>
> On Thu, 10 Jun 2010 17:19:24 -0400, Jerrale Gayle
> <jerralegayle at sheltoncomputers.com> wrote:
>> I have fail2ban working for EVERYTHING else except dovecot. I have tried
>
>> using my own custom regex in conjunction with the regex on the
>> dovecot.org site. Neither are picked up by fail2ban and I'm trying to
>> use an imminent attack agaist dovecot, going on now, to my advantage to
>> see when I get the right regexp. Here are my current ones:
>>
>> failregex = .*dovecot: (?:pop3-login|imap-login):
>> (?:Disconnected|Aborted login)  \((?:auth failed, .* attempts|no auth
>> attempts)\):.*rip=<HOST>,.* <<< this is my custom
>>              (?: pop3-login|imap-login): (?:Authentication
>> failure|Aborted login \(auth failed|Aborted login \(tried to use
>> disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* <<< from
>> dovecot.org
>>              .*warning:.\S*\[(?P<host>)\]:
>> SASL.(?:PLAIN|LOGIN).authentication failed:.*
>>
>> Here is the current attack:
>>
>> Jun 10 17:18:10 mail dovecot: pop3-login: Disconnected (auth failed, 1
>> attempts): user=<rahul>, method=PLAIN, rip=113.12.82.71,
> lip=173.50.101.12
>>
>>
>> Can someone help me out a little?
>>
>> Thanks,
>>
>> Jerrale G
>

      A bit of a side thought, would it be possible to just ban an IP
trying to connect with a non-existent user?


More information about the dovecot mailing list