Difference between revisions of "Talk:Dovecot"
Taoteh1221 (talk | contribs) |
|||
| Line 10: | Line 10: | ||
dovecot.*pop3-login.*Aborted login.*rip=<HOST>.*<br> | dovecot.*pop3-login.*Aborted login.*rip=<HOST>.*<br> | ||
<br> | <br> | ||
| + | <br> CentOS 5.2 and Dovecot: <br> | ||
| + | |||
| + | Create file /etc/fail2ban/filter.d/dovecot.conf | ||
| + | <br>failregex = pam.*dovecot.*(?:authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*) | ||
| + | |||
| + | |||
| + | Add to file /etc/fail2ban/filter.d/jail.conf | ||
| + | <br>[dovecot] | ||
| + | <br>enabled = true | ||
| + | <br>filter = dovecot | ||
| + | <br>action = iptables-multiport[name=Dovecot, port="110,995,143,993", protocol=tcp] | ||
| + | <br>sendmail-whois[name=Dovecot, dest=your_email@your_domain.com, sender=fail2ban@mail.com] | ||
| + | <br>logpath = /var/log/secure | ||
| + | <br>maxretry = 3 | ||
| + | |||
| + | <br><br> | ||
| + | You can test your config while editing the filter file (in CentOS 5.2):<br> | ||
| + | |||
| + | /usr/bin/fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf | ||
| + | <br><br> | ||
| + | |||
| + | Don't depend on old breech attempts...create and test fresh ones yourself with jail.conf 'bantime' set to 60 seconds: | ||
| + | <br>bantime = 60<br><br> | ||
Revision as of 18:35, 12 October 2008
If you want to catch this:
Aug 29 19:45:13 MyHostName dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=123.123.123.123
Here is the regex:
dovecot.*authentication failure.*rhost\=<host>
To catch lines like:
dovecot: pop3-login: Aborted login (1 authentication attempts): user=<usrnm>, method=PLAIN, rip=192.168.2.4, lip=192.168.2.5
the regexp is:
dovecot.*pop3-login.*Aborted login.*rip=<HOST>.*
CentOS 5.2 and Dovecot:
Create file /etc/fail2ban/filter.d/dovecot.conf
failregex = pam.*dovecot.*(?:authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*)
Add to file /etc/fail2ban/filter.d/jail.conf
[dovecot]
enabled = true
filter = dovecot
action = iptables-multiport[name=Dovecot, port="110,995,143,993", protocol=tcp]
sendmail-whois[name=Dovecot, dest=your_email@your_domain.com, sender=fail2ban@mail.com]
logpath = /var/log/secure
maxretry = 3
You can test your config while editing the filter file (in CentOS 5.2):
/usr/bin/fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf
Don't depend on old breech attempts...create and test fresh ones yourself with jail.conf 'bantime' set to 60 seconds:
bantime = 60
