[Dovecot] Fail2ban and logging
Mark Sapiro
mark at msapiro.net
Tue Jul 16 06:00:14 EEST 2013
On 07/15/2013 09:09 AM, Paul van der Vlis wrote:
>
> Are you blocked when you login a few times with a wrong password?
>
> I expect your log will say something like "auth failed, 22 attempts in
> 30 secs", and fail2ban will see that as 1 authentications error, so will
> not block you.
I am blocked. The log says
Jul 15 19:36:06 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1
attempts in 2 secs): user=<mark>, method=APOP, rip=98.248.186.228,
lip=72.52.113.16, TLS, session=<cvam1pfhLwBi+Lrk>
Jul 15 19:36:16 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1
attempts in 6 secs): user=<mark>, method=APOP, rip=98.248.186.228,
lip=72.52.113.16, TLS, session=<C3H81pfhMABi+Lrk>
Jul 15 19:36:29 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1
attempts in 10 secs): user=<mark>, method=APOP, rip=98.248.186.228,
lip=72.52.113.16, TLS, session=<YEaR15fhNQBi+Lrk>
Jul 15 19:36:49 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1
attempts in 17 secs): user=<mark>, method=APOP, rip=98.248.186.228,
lip=72.52.113.16, TLS, session=<hN1T2JfhNgBi+Lrk>
Jul 15 19:37:09 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1
attempts in 17 secs): user=<mark>, method=APOP, rip=98.248.186.228,
lip=72.52.113.16, TLS, session=<jqqE2ZfhOwBi+Lrk>
The difference may be that I am connecting to pop3s, port 995 with SSL,
not port 110 with STARTTLS.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the dovecot
mailing list