#1  
Old 29th April 2009, 04:30
asus asus is offline
Member
 
Join Date: Jul 2007
Posts: 67
Thanks: 3
Thanked 1 Time in 1 Post
Default pop3 problems

ok my email server is getting hit really hard. and my fail2ban still spits out this error .

Code:
2009-04-26 06:45:55,346 fail2ban.comm   : WARNING Invalid command: ['add', 'courierpop3', 'polling']
2009-04-25 21:20:30,398 fail2ban.jail   : INFO   Using poller
2009-04-25 21:20:30,513 fail2ban.filter : INFO   Created Filter
2009-04-25 21:20:30,515 fail2ban.filter : INFO   Created FilterPoll
2009-04-25 21:20:30,527 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
2009-04-25 21:20:30,553 fail2ban.filter : INFO   Set maxRetry = 5
2009-04-25 21:20:30,557 fail2ban.comm   : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'courierpop3login: LOGIN FAILED.*ip=\\[.*:<HOST>\\]']
I have been getting hit alot. the same address has tried to login 12308, here are a few.

Code:
pop3:
    Unknown Entries:
       authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=root:
15 Time(s)
       authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=mysql:
6 Time(s)
       authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=nobody
my question is can I fix this error so that fail2ban will block these mass attempts.
Reply With Quote
Sponsored Links
  #2  
Old 29th April 2009, 13:24
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,752 Times in 2,582 Posts
Default

Can you post the Courier part of your fail2ban configuration?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 29th April 2009, 22:16
asus asus is offline
Member
 
Join Date: Jul 2007
Posts: 67
Thanks: 3
Thanked 1 Time in 1 Post
Default

Code:
[courierpop3]

enabled  = true
port     = pop3
filter   = courierlogin
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath  = /var/log/mail.log
maxretry = 5


[courierimap]

enabled  = true
port     = imap2
filter   = courierlogin
failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath  = /var/log/mail.log
maxretry = 5
Reply With Quote
  #4  
Old 30th April 2009, 18:21
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,752 Times in 2,582 Posts
Default

What's in the courierlogin filter in /etc/fail2ban/filter.d/?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 30th April 2009, 23:09
asus asus is offline
Member
 
Join Date: Jul 2007
Posts: 67
Thanks: 3
Thanked 1 Time in 1 Post
Default

Code:
#
failregex = LOGIN FAILED, .*, ip=\[<HOST>\]$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
Reply With Quote
  #6  
Old 1st May 2009, 19:09
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,752 Times in 2,582 Posts
Default

Hm, not sure if it helps, but can you change
Code:
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
to
Code:
failregex = LOGIN FAILED.*ip=\[.*:<HOST>\]
and
Code:
failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
to
Code:
failregex = LOGIN FAILED.*ip=\[.*:<HOST>\]
?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 1st May 2009, 21:16
asus asus is offline
Member
 
Join Date: Jul 2007
Posts: 67
Thanks: 3
Thanked 1 Time in 1 Post
Default

sorry to say but the same error keeps coming up.
Reply With Quote
  #8  
Old 2nd May 2009, 21:32
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,752 Times in 2,582 Posts
Default

Then I'm at my wit's end...
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #9  
Old 5th May 2009, 08:19
asus asus is offline
Member
 
Join Date: Jul 2007
Posts: 67
Thanks: 3
Thanked 1 Time in 1 Post
Default

I followed the Preventing Brute Force Attacks With Fail2ban On Debian Etch, I'm not sure if you remember but I' am running the perfect ubuntu 8.04 LTS server setup with ispconfig 2. Would this have anything to do with it ? I know ubuntu is based on debian.
Reply With Quote
  #10  
Old 6th May 2009, 22:38
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,752 Times in 2,582 Posts
 
Default

Might be a problem with Ubuntu, but I can't say for sure...
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Problems with postfix vs IMAP / POP3 MiniMe Server Operation 25 28th October 2008 16:18
Email Set Up XTCHost Server Operation 5 6th September 2008 13:03
Management/system config/settings & /server/settings not working!! dactor Installation/Configuration 9 6th February 2008 10:11
POP3 problems, Virtual Users And Domains With Postfix, Courier And MySQL (Fedora 8) garbagedigger HOWTO-Related Questions 1 10th December 2007 03:51
Problems with webmail logins and POP3 Spaetzle General 11 24th November 2006 17:05


All times are GMT +2. The time now is 10:13.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.