[Dovecot] fail2ban

Nick Edwards nick.z.edwards at gmail.com
Sat Oct 5 18:32:50 EEST 2013


Bingo!

Thanks, working now

On 10/5/13, Noel Butler <noel.butler at ausics.net> wrote:
> On Fri, 2013-10-04 at 15:47 +1000, Nick Edwards wrote:
>> For dovecot 2.1
>>
>> as per wiki2,  is this still valid?  noticed a problem before and saw
>> it does seem to be triggering, I use:
>>
>
> looks out dated
>
>> filter.d/dovecot.conf
>
> That'll never work, you need to change
>
>> [Definition]
>> failregex = (?: pop3-login|imap-login): (?:Authentication
> to
>
> failregex = (?: pop3-login|imap-login): .*(?:Authentication
>                                         ^^
>
> BUT, then, with the rest of your regex, it will only partly match
> because its looking for ", something" like " ,TLS" at the end  which
> wont appear on failed imap/pop3 logins that dont use TLS, etc, so any
> failed attempts using TLs, will be found, if they are not using it, they
> will be missed (most miscreants likely wont be using it anyway)
>
> I am NO python expert,  in fact, I know less than less about python, so
> you'll best need to wait for someone who knows the answer, or ask on
> fail2ban list, on how you can change that to match both, by changing
> the last bit to
>     \(auth failed).*rip=(?P<host>\S*) <some variable here to match
> on ,TLS or nothing at all>
>
> in meantime, you could repeat your failregex, like
>
> failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|
> Aborted login \(auth failed|Aborted login \(tried to use disabled|
> Disconnected \(auth failed).*rip=(?P<host>\S*),.*
>     (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted
> login \(auth failed|Aborted login \(tried to use disabled|Disconnected
> \(auth failed).*rip=(?P<host>\S*)
>
>
> I think thats horrible, messy, yukky, but it likely might work :)  at
> least until you find a better answer, there are some fail2ban fanbois on
> this list, but as its the weekend, you may need to be patient.
>
>


More information about the dovecot mailing list