View Single Post
  #1  
Old 21st November 2012, 21:27
blinden blinden is offline
Member
 
Join Date: Sep 2010
Posts: 41
Thanks: 3
Thanked 3 Times in 3 Posts
Default Fail2Ban not banning on dovecot service

New to fail2ban, and just trying to get my settings right

ISPConfig3
Ubuntu 12.04.1 LTS
completely up to date.

Had a long string of these, probably over 1000 of them in alphabetical order from mail.log:

Nov 21 14:01:24 mailserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<winston@domain.net>, method=PLAIN, rip=85.13.200.50, lip=10.0.0.22
Nov 21 14:01:41 mailserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<wolf@domain.net>, method=PLAIN, rip=85.13.200.50, lip=10.0.0.22
Nov 21 14:01:58 mailserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<wolfgang@domain.net>, method=PLAIN, rip=85.13.200.50, lip=10.0.0.22
Nov 21 14:02:15 mailserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<woody@domain.net>, method=PLAIN, rip=85.13.200.50, lip=10.0.0.22

from /etc/fail2ban/filter.d/dovecot.conf:

Original, which was commented out
#failregex = .*(?op3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*

Modified:
failregex = (?: pop3-login|imap-login): .*(?isconnected|Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*

from /etc/fail2ban/jail.conf:

[dovecot]

enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = dovecot
logpath = /var/log/mail.log
maxretry = 5
findtime = 3600
bantime = 1200

Last edited by blinden; 21st November 2012 at 21:32.
Reply With Quote
Sponsored Links