Hi,
i am using dovecot instead of courier and can't get fail2ban to work...
i entered this in /etc/fail2ban/jail.conf in the end:
Code:
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp]
logpath = /var/log/dovecot-info.log
maxretry = 5
findtime = 1200
bantime = 1200
and i created a /etc/fail2ban/filter.d/dovecot-pop3imap.conf
Code:
[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
(?:imap|pop3)-login: Disconnected: user=<.*>, method=(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5), rip=(?P<host>\S*), lip
(?:imap|pop3)-login: Aborted login.*user=<.*>, .*rip=(?P<host>\S*),.*
but nothing is hapening when attacks are tried like this:
Code:
dovecot: Nov 13 14:48:40 Info: pop3-login: Aborted login (0 authentication attempts): rip=111.8.35.19, lip=62.141.42.67
dovecot: Nov 13 14:48:41 Info: pop3-login: Aborted login (1 authentication attempts): user=<webmaster>, method=PLAIN, rip=111.8.35.19, lip=62.141.42.67
dovecot: Nov 13 14:48:41 Info: pop3-login: Aborted login (1 authentication attempts): user=<server>, method=PLAIN, rip=111.8.35.19, lip=62.141.42.67
dovecot: Nov 13 14:48:42 Info: pop3-login: Aborted login (1 authentication attempts): user=<oracle>, method=PLAIN, rip=111.8.35.19, lip=62.141.42.67
dovecot: Nov 13 14:48:42 Info: pop3-login: Aborted login (1 authentication attempts): user=<data>, method=PLAIN, rip=111.8.35.19, lip=62.141.42.67
dovecot: Nov 13 14:48:42 Info: pop3-login: Aborted login (1 authentication attempts): user=<web>, method=PLAIN, rip=111.8.35.19, lip=62.141.42.67
i don't get a mail (i get mails when someone fails with ssh login) and the attacker isn't banned...
is something about my files?