Difference between revisions of "HOWTO fail2ban with qpopper"

From Fail2ban
Jump to: navigation, search
(it's better to use \s instead of blanks because of line breaking problems)
(updated regex)
Line 12: Line 12:
 
  maxretry = 5
 
  maxretry = 5
  
* Then create a file in filter.d directory called qpopperlogin.conf This failregex statement was sent to the fail2safe mail list by Sven Neukirchner.
+
* Then create a file in filter.d directory called qpopperlogin.conf The first failregex statement was sent to the fail2ban mail list by Sven Neukirchner.
  
 
  [Definition]
 
  [Definition]
 
   
 
   
  failregex = popper\[[0-9]+\]:\s\[AUTH\]\sFailed\sattempted\slogin\sto\s
+
  failregex = popper\[[0-9]+\]:\s\[AUTH\]\sFailed\sattempted\slogin\sto\s\S+\sfrom\shost\s(\S+)\s<HOST>(?:\s\[pop_pass\.c.*\])?$
            \S+\sfrom\shost\s(\S+)\s<HOST>(?:\s\[pop_pass\.c.*\])?$
+
            popper\[[0-9]+\]:.*\(<HOST>\):\ -ERR\ \[AUTH\]\
 
  ignoreregex =
 
  ignoreregex =
 
###
 
# for strings like 
 
# Oct 16 14:42:00 alpha popper[25364]: anton at 123.234.40.66 (123.234.40.66): -#ERR [AUTH] Password supplied for "anton" is incorrect. [pop_pass.c:1173]
 
# use
 
# failregex = \(<HOST>\):\ -ERR\ \[AUTH\]
 
###
 
 
That should do it!
 

Revision as of 17:57, 15 December 2011

Configuration for qpopper pop3 daemon is done through the following: (this setup was for openSUSE 10.2)

  • First make an entry into your jail.conf file.
[qpopper]
enabled  = true
port     = pop3
filter   = qpopperlogin
action   = iptables[name=%(__name__)s, port=%(port)s]
           sendmail-whois[name=qpopper, dest=you@mail.com]
logpath  = /var/log/mail
maxretry = 5
  • Then create a file in filter.d directory called qpopperlogin.conf The first failregex statement was sent to the fail2ban mail list by Sven Neukirchner.
[Definition]

failregex = popper\[[0-9]+\]:\s\[AUTH\]\sFailed\sattempted\slogin\sto\s\S+\sfrom\shost\s(\S+)\s<HOST>(?:\s\[pop_pass\.c.*\])?$
            popper\[[0-9]+\]:.*\(<HOST>\):\ -ERR\ \[AUTH\]\
ignoreregex =