Difference between revisions of "Talk:Dovecot"

From Fail2ban
Jump to: navigation, search
Line 33: Line 33:
 
Don't depend on old breech attempts...create and test fresh ones yourself with jail.conf 'bantime' set to 60 seconds:
 
Don't depend on old breech attempts...create and test fresh ones yourself with jail.conf 'bantime' set to 60 seconds:
 
<br>bantime  = 60<br><br>
 
<br>bantime  = 60<br><br>
 +
 +
<hr>
 +
 +
Suggested regexp to catch failed sql-logins:
 +
 +
<pre>
 +
failregex = dovecot.*auth-worker\(default\): sql\(.*,<HOST>\): Password mismatch
 +
</pre>

Revision as of 12:30, 5 January 2009

If you want to catch this:
Aug 29 19:45:13 MyHostName dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=123.123.123.123

Here is the regex:
dovecot.*authentication failure.*rhost\=<host>

To catch lines like:
dovecot: pop3-login: Aborted login (1 authentication attempts): user=<usrnm>, method=PLAIN, rip=192.168.2.4, lip=192.168.2.5
the regexp is:
dovecot.*pop3-login.*Aborted login.*rip=<HOST>.*


CentOS 5.2 and Dovecot:

Create file /etc/fail2ban/filter.d/dovecot.conf
failregex = pam.*dovecot.*(?:authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*)


Add to file /etc/fail2ban/filter.d/jail.conf
[dovecot]
enabled = true
filter = dovecot
action = iptables-multiport[name=Dovecot, port="110,995,143,993", protocol=tcp]
sendmail-whois[name=Dovecot, dest=your_email@your_domain.com, sender=fail2ban@mail.com]
logpath = /var/log/secure
maxretry = 3



You can test your config while editing the filter file (in CentOS 5.2):

/usr/bin/fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf

Don't depend on old breech attempts...create and test fresh ones yourself with jail.conf 'bantime' set to 60 seconds:
bantime = 60


Suggested regexp to catch failed sql-logins:

failregex = dovecot.*auth-worker\(default\): sql\(.*,<HOST>\): Password mismatch