#1  
Old 29th April 2009, 03:30
asus asus is offline
Member
  
Join Date: Jul 2007
Posts: 67
Thanks: 3
Thanked 1 Time in 1 Post
Default pop3 problems
ok my email server is getting hit really hard. and my fail2ban still spits out this error .

Code:
2009-04-26 06:45:55,346 fail2ban.comm   : WARNING Invalid command: ['add', 'courierpop3', 'polling']
2009-04-25 21:20:30,398 fail2ban.jail   : INFO   Using poller
2009-04-25 21:20:30,513 fail2ban.filter : INFO   Created Filter
2009-04-25 21:20:30,515 fail2ban.filter : INFO   Created FilterPoll
2009-04-25 21:20:30,527 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
2009-04-25 21:20:30,553 fail2ban.filter : INFO   Set maxRetry = 5
2009-04-25 21:20:30,557 fail2ban.comm   : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'courierpop3login: LOGIN FAILED.*ip=\\[.*:<HOST>\\]']
I have been getting hit alot. the same address has tried to login 12308, here are a few.

Code:
pop3:
    Unknown Entries:
       authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=root:
15 Time(s)
       authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=mysql:
6 Time(s)
       authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=nobody
my question is can I fix this error so that fail2ban will block these mass attempts.
__________________
http://gwi.bounceme.net - 24/7 Internet Radio Jungle/DnB - a place for live dj's to play
http://gwi.servehttp.com - GetWithIt (GWI) Hosting/Design is a premier free/open source solutions provider for businesses of any size.
Reply With Quote
Sponsored Links
  #2  
Old 29th April 2009, 12:24
falko falko is online now
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,685
Thanks: 1,899
Thanked 2,599 Times in 2,448 Posts
Default
Can you post the Courier part of your fail2ban configuration?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 29th April 2009, 21:16
asus asus is offline
Member
  
Join Date: Jul 2007
Posts: 67
Thanks: 3
Thanked 1 Time in 1 Post
Default
Code:
[courierpop3]

enabled  = true
port     = pop3
filter   = courierlogin
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath  = /var/log/mail.log
maxretry = 5


[courierimap]

enabled  = true
port     = imap2
filter   = courierlogin
failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath  = /var/log/mail.log
maxretry = 5
__________________
http://gwi.bounceme.net - 24/7 Internet Radio Jungle/DnB - a place for live dj's to play
http://gwi.servehttp.com - GetWithIt (GWI) Hosting/Design is a premier free/open source solutions provider for businesses of any size.
Reply With Quote
  #4  
Old 30th April 2009, 17:21
falko falko is online now
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,685
Thanks: 1,899
Thanked 2,599 Times in 2,448 Posts
Default
What's in the courierlogin filter in /etc/fail2ban/filter.d/?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 30th April 2009, 22:09
asus asus is offline
Member
  
Join Date: Jul 2007
Posts: 67
Thanks: 3
Thanked 1 Time in 1 Post
Default
Code:
#
failregex = LOGIN FAILED, .*, ip=\[<HOST>\]$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
__________________
http://gwi.bounceme.net - 24/7 Internet Radio Jungle/DnB - a place for live dj's to play
http://gwi.servehttp.com - GetWithIt (GWI) Hosting/Design is a premier free/open source solutions provider for businesses of any size.
Reply With Quote
  #6  
Old 1st May 2009, 18:09
falko falko is online now
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,685
Thanks: 1,899
Thanked 2,599 Times in 2,448 Posts
Default
Hm, not sure if it helps, but can you change
Code:
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
to
Code:
failregex = LOGIN FAILED.*ip=\[.*:<HOST>\]
and
Code:
failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
to
Code:
failregex = LOGIN FAILED.*ip=\[.*:<HOST>\]
?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 1st May 2009, 20:16
asus asus is offline
Member
  
Join Date: Jul 2007
Posts: 67
Thanks: 3
Thanked 1 Time in 1 Post
Default
sorry to say but the same error keeps coming up.
__________________
http://gwi.bounceme.net - 24/7 Internet Radio Jungle/DnB - a place for live dj's to play
http://gwi.servehttp.com - GetWithIt (GWI) Hosting/Design is a premier free/open source solutions provider for businesses of any size.
Reply With Quote
  #8  
Old 2nd May 2009, 20:32
falko falko is online now
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,685
Thanks: 1,899
Thanked 2,599 Times in 2,448 Posts
Default
Then I'm at my wit's end...
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #9  
Old 5th May 2009, 07:19
asus asus is offline
Member
  
Join Date: Jul 2007
Posts: 67
Thanks: 3
Thanked 1 Time in 1 Post
Default
I followed the Preventing Brute Force Attacks With Fail2ban On Debian Etch, I'm not sure if you remember but I' am running the perfect ubuntu 8.04 LTS server setup with ispconfig 2. Would this have anything to do with it ? I know ubuntu is based on debian.
__________________
http://gwi.bounceme.net - 24/7 Internet Radio Jungle/DnB - a place for live dj's to play
http://gwi.servehttp.com - GetWithIt (GWI) Hosting/Design is a premier free/open source solutions provider for businesses of any size.
Reply With Quote
  #10  
Old 6th May 2009, 21:38
falko falko is online now
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,685
Thanks: 1,899
Thanked 2,599 Times in 2,448 Posts
 
Default
Might be a problem with Ubuntu, but I can't say for sure...
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Problems with postfix vs IMAP / POP3 MiniMe Server Operation 25 28th October 2008 15:18
Email Set Up XTCHost Server Operation 5 6th September 2008 12:03
Management/system config/settings & /server/settings not working!! dactor Installation/Configuration 9 6th February 2008 09:11
POP3 problems, Virtual Users And Domains With Postfix, Courier And MySQL (Fedora 8) garbagedigger HOWTO-Related Questions 1 10th December 2007 02:51
Problems with webmail logins and POP3 Spaetzle General 11 24th November 2006 16:05


All times are GMT +2. The time now is 16:03.

Contact Us - HowtoForge - Linux Howtos and Tutorials - Archive - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.