Thread: Attacks on MTA
View Single Post
Old 29th September 2009, 17:20
edge edge is offline
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,044
Thanks: 269
Thanked 154 Times in 133 Posts

Are you using courierpop3?

The rule that you need does probably look something like this (NOT TESTED!)


enabled = true
port = pop3
filter = pop3d
failregex = pop3d: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath = /var/log/mail.log
maxretry = 5

Basicaly the rule scans your mail.log file for the text "pop3d: LOGIN FAILED", and logs the IP who is causig the LOGIN FAILED.
After a maxretry of 5 times fail2ban will kick in, and block that IP.

Make sure that you restart fail2ban after adding this.

Last edited by edge; 29th September 2009 at 17:25.
Reply With Quote