Thursday, August 31, 2006

fail2ban, dovecot and brute force attacks

I needed a way to help stop/slow down brute force password attacks on a dovecot pop3 server running on Fedora Core 5. I heard about fail2ban on the dovecot list, it can scan any log file and any time it matches a regex in the log, you can have it block a host using iptables.

When setting fail2ban 0.6.1 up, I also took the tips from The Art of Web ~ System: fail2ban and iptables which adds syslog logging of dropped connection attempts and cleans up the iptables rules a bit.

This regex matches dovecot authentication failures in /var/log/secure:
dovecot.*(?:authentication failure).*rhost=::ffff:(?P<host>\S*)

I also tweaked the SSH failregex to make sure it only matches sshd failures.

You can download my entire configuration file here: fail2ban.conf

5 comments:

Anonymous said...

hi am trying to set up fail2ban but its not banning ftp logins can you send me the regex for vsftp i didnt see it in your fail2ban.conf

Anonymous said...

Hello,

I'm trying to get fail2ban to work with dovecot, but I haven't had luck with the exact regex you recommended, from which I conclude that my log file is in a different format from yours. Any idea what the proper regex for this kind of log entry would be?


dovecot: Dec 29 23:54:43 Info: pop3-login: Disconnected: user=[user@domain.com], method=PLAIN, rip=::ffff:192.168.1.221, lip=::ffff:192.168.1.220


I've been beating my head against a wall for some time now and I just don't "get" regex.

Anonymous said...

In response to anonymous, that log entry looks like it's from maillog, try using the secure log instead.

VPC said...

Maybe a correct regular expresion to be put in /etc/fail2ban/filter.d/dovecot-pop3imap.conf should be the following, so no brute force attacks can shutdown dovecot service ...

[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Disconnected \(auth failed|Disconnected \(tried to use disabled plaintext auth\)).*rip=(?P\S*),.*
ignoreregex =

AmaRO said...

thnx a lot 4 the information. ! regards from Argentina =)