ot: how to block persistent same invalid account, different IPs
Voytek Eymont
voytek at sbt.net.au
Fri Dec 22 12:41:17 EET 2017
I've installed fail2ban, it seems to be working as it identified my failed
test logins, BUT, my question is:
what can I do when I see same invalid name trying to login to dovecot,
different IP each time, how can I say block each IP as used by this name ?
or it that a bad idea ?
I can see two persistent attempts as so:
I don't have such user 'ignacio' or 'julian'
# grep ignacio.munoz /var/log/dovecot.log | wc
178 3436 35624
# grep ignacio.munoz /var/log/dovecot.log | grep 'auth fail' | wc
178 3436 35624
# grep julian /var/log/dovecot.log | wc
178 3432 34321
# grep julian /var/log/dovecot.log | grep 'auth fail' | wc
178 3432 34321
last 6 tries, sometimes have just : <ignacio.munoz>, sometimes, with tld
Dec 22 17:00:33 imap-login: Info: Disconnected (auth failed, 1 attempts in
8 secs): user=<ignacio.munoz at aaa.com>, method=PLAIN, rip=157.122.183.218,
lip=163.47.110.6, TLS, session=<Z4JniOdgkgCderfa>
Dec 22 17:01:06 imap-login: Info: Disconnected (auth failed, 1 attempts in
7 secs): user=<ignacio.munoz>, method=PLAIN, rip=60.172.162.2,
lip=163.47.110.6, TLS, session=<CsdriudgWAA8rKIC>
Dec 22 18:58:26 imap-login: Info: Disconnected (auth failed, 1 attempts in
10 secs): user=<ignacio.munoz at aaa.com>, method=PLAIN, rip=60.30.224.189,
lip=163.47.110.6, TLS: Disconnected, session=<kvLWLelg0QA8HuC9>
Dec 22 18:58:59 imap-login: Info: Disconnected (auth failed, 1 attempts in
7 secs): user=<ignacio.munoz>, method=PLAIN, rip=220.164.2.138,
lip=163.47.110.6, TLS: Disconnected, session=<T7T5L+lgRADcpAKK>
Dec 22 19:30:28 imap-login: Info: Disconnected (auth failed, 1 attempts in
6 secs): user=<ignacio.munoz at aaa.com>, method=PLAIN, rip=113.8.194.3,
lip=163.47.110.6, TLS, session=<jfSgoOlgswBxCMID>
Dec 22 19:31:09 imap-login: Info: Disconnected (auth failed, 1 attempts in
6 secs): user=<ignacio.munoz>, method=PLAIN, rip=58.210.119.226,
lip=163.47.110.6, TLS, session=<moAVo+lg8gA60nfi>
--
Voytek
More information about the dovecot
mailing list