ispCP - Board - Support
fail2ban + dovecot doesn't work - Printable Version

+- ispCP - Board - Support (
+-- Forum: ispCP Omega Support Area (/forum-30.html)
+--- Forum: Usage (/forum-34.html)
+--- Thread: fail2ban + dovecot doesn't work (/thread-12129.html)

fail2ban + dovecot doesn't work - Catscrash - 11-14-2010 02:52 AM


i am using dovecot instead of courier and can't get fail2ban to work...

i entered this in /etc/fail2ban/jail.conf in the end:

enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp]
logpath = /var/log/dovecot-info.log
maxretry = 5
findtime = 1200
bantime = 1200

and i created a /etc/fail2ban/filter.d/dovecot-pop3imap.conf

failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
(?:imap|pop3)-login: Disconnected: user=<.*>, method=(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5), rip=(?P<host>\S*), lip
(?:imap|pop3)-login: Aborted login.*user=<.*>, .*rip=(?P<host>\S*),.*

but nothing is hapening when attacks are tried like this:

dovecot: Nov 13 14:48:40 Info: pop3-login: Aborted login (0 authentication attempts): rip=, lip=
dovecot: Nov 13 14:48:41 Info: pop3-login: Aborted login (1 authentication attempts): user=<webmaster>, method=PLAIN, rip=, lip=
dovecot: Nov 13 14:48:41 Info: pop3-login: Aborted login (1 authentication attempts): user=<server>, method=PLAIN, rip=, lip=
dovecot: Nov 13 14:48:42 Info: pop3-login: Aborted login (1 authentication attempts): user=<oracle>, method=PLAIN, rip=, lip=
dovecot: Nov 13 14:48:42 Info: pop3-login: Aborted login (1 authentication attempts): user=<data>, method=PLAIN, rip=, lip=
dovecot: Nov 13 14:48:42 Info: pop3-login: Aborted login (1 authentication attempts): user=<web>, method=PLAIN, rip=, lip=

i don't get a mail (i get mails when someone fails with ssh login) and the attacker isn't banned...

is something about my files?