ot: how to block persistent same invalid account, different IPs

Voytek Eymont voytek at sbt.net.au
Fri Dec 22 12:41:17 EET 2017


I've installed fail2ban, it seems to be working as it identified my failed
test logins, BUT, my question is:

what can I do when I see same invalid name trying to login to dovecot,
different IP each time, how can I say block each IP as used by this name ?
or it that a bad idea ?

I can see two persistent attempts as so:

I don't have such user 'ignacio' or 'julian'

#  grep ignacio.munoz  /var/log/dovecot.log | wc
    178    3436   35624
#  grep ignacio.munoz  /var/log/dovecot.log | grep 'auth fail' | wc
    178    3436   35624

#  grep julian  /var/log/dovecot.log | wc
    178    3432   34321
#  grep julian  /var/log/dovecot.log | grep 'auth fail' | wc
    178    3432   34321


last 6 tries, sometimes have just : <ignacio.munoz>, sometimes, with tld

Dec 22 17:00:33 imap-login: Info: Disconnected (auth failed, 1 attempts in
8 secs): user=<ignacio.munoz at aaa.com>, method=PLAIN, rip=157.122.183.218,
lip=163.47.110.6, TLS, session=<Z4JniOdgkgCderfa>
Dec 22 17:01:06 imap-login: Info: Disconnected (auth failed, 1 attempts in
7 secs): user=<ignacio.munoz>, method=PLAIN, rip=60.172.162.2,
lip=163.47.110.6, TLS, session=<CsdriudgWAA8rKIC>
Dec 22 18:58:26 imap-login: Info: Disconnected (auth failed, 1 attempts in
10 secs): user=<ignacio.munoz at aaa.com>, method=PLAIN, rip=60.30.224.189,
lip=163.47.110.6, TLS: Disconnected, session=<kvLWLelg0QA8HuC9>
Dec 22 18:58:59 imap-login: Info: Disconnected (auth failed, 1 attempts in
7 secs): user=<ignacio.munoz>, method=PLAIN, rip=220.164.2.138,
lip=163.47.110.6, TLS: Disconnected, session=<T7T5L+lgRADcpAKK>
Dec 22 19:30:28 imap-login: Info: Disconnected (auth failed, 1 attempts in
6 secs): user=<ignacio.munoz at aaa.com>, method=PLAIN, rip=113.8.194.3,
lip=163.47.110.6, TLS, session=<jfSgoOlgswBxCMID>
Dec 22 19:31:09 imap-login: Info: Disconnected (auth failed, 1 attempts in
6 secs): user=<ignacio.munoz>, method=PLAIN, rip=58.210.119.226,
lip=163.47.110.6, TLS, session=<moAVo+lg8gA60nfi>





-- 
Voytek



More information about the dovecot mailing list