Thread: Attacks on MTA
View Single Post
Old 29th September 2009, 16:20
edge edge is offline
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,036
Thanks: 268
Thanked 152 Times in 132 Posts

Are you using courierpop3?

The rule that you need does probably look something like this (NOT TESTED!)


enabled = true
port = pop3
filter = pop3d
failregex = pop3d: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath = /var/log/mail.log
maxretry = 5

Basicaly the rule scans your mail.log file for the text "pop3d: LOGIN FAILED", and logs the IP who is causig the LOGIN FAILED.
After a maxretry of 5 times fail2ban will kick in, and block that IP.

Make sure that you restart fail2ban after adding this.

Last edited by edge; 29th September 2009 at 16:25.
Reply With Quote