fail2ban filter for Kerio Mailserver

Discussion in 'Installation/Configuration' started by taittinger_hi, Dec 20, 2009.

  1. taittinger_hi

    taittinger_hi New Member

    Has anyone made a fail2ban filter configuration to block random attempts on POP3 (and SMTP) for kerio mailserver?

    Fail2ban would be great to block these attempts in the kerio warning log:

    Code:
    [20/Dec/2009 16:35:59] POP3: User user<_at_>example doesn't exist. Attempt from IP address XXX.XXX.XX.XX
    and

    Code:
    [22/Nov/2009 00:05:01] POP3: Invalid password for user user<_at_>example. Attempt from IP address XXX.XXX.XX.XX

    Fail2ban works great with the standard filters included in the package, but I can't find a working config for kerio unfortunately ...

    Anyone managed to write a working filter config for fail2ban?

    Help would be really appreciated!

    Thanks,

    Tom.
     
  2. falko

    falko Super Moderator

    You can try this as a regular expression for the filter:

    Code:
    failregex = POP3: Invalid password for user *. Attempt from IP address \[.*:<HOST>\]
     
  3. taittinger_hi

    taittinger_hi New Member

    Thanks for your suggestion Falko,

    But something is still not working, when I test the expression with fail2ban-regex, I get:

    ---

    login$ fail2ban-regex "POP3: User blabla@example.com doesn't exist. Attempt from IP address 10.0.0.233" "POP3: User *. doesn't exist. Attempt from IP address \[.*:<HOST>\]"

    Running tests
    =============

    Use regex line : POP3: User *. doesn't exist. Attempt from IP addre...
    Use single line: POP3: User blabla@example.com doesn't exist. Atte...


    Results
    =======

    Failregex
    |- Regular expressions:
    | [1] POP3: User *. doesn't exist. Attempt from IP address \[.*:<HOST>\]
    |
    `- Number of matches:
    [1] 0 match(es)

    Ignoreregex
    |- Regular expressions:
    |
    `- Number of matches:

    Summary
    =======

    Sorry, no match

    Look at the above section 'Running tests' which could contain important
    information.

    ---

    I don't see why it returns no matches?!

    Any ideas?

    Thanks!
     
  4. falko

    falko Super Moderator

    Maybe you need to remove the dot after the asterisk:
    Code:
    failregex = POP3: Invalid password for user * Attempt from IP address \[.*:<HOST>\]
     
  5. taittinger_hi

    taittinger_hi New Member

    I tried this, but still no matches ...

    This is the query:

    user# fail2ban-regex "POP3: Invalid password for user user@example.com. Attempt from IP address 10.0.0.31" "POP3: Invalid password for user * Attempt from IP address \[.*:<HOST>\]"

    This the result:

    Running tests
    =============

    Use regex line : POP3: Invalid password for user * Attempt from IP ...
    Use single line: POP3: Invalid password for user user@example.com. ...


    Results
    =======

    Failregex
    |- Regular expressions:
    | [1] POP3: Invalid password for user * Attempt from IP address \[.*:<HOST>\]
    |
    `- Number of matches:
    [1] 0 match(es)

    Ignoreregex
    |- Regular expressions:
    |
    `- Number of matches:

    Summary
    =======

    Sorry, no match

    Look at the above section 'Running tests' which could contain important
    information.

    Why, why, why :confused:

    Thanks for any new insights!

    Tom
     

Share This Page