When setting fail2ban 0.6.1 up, I also took the tips from The Art of Web ~ System: fail2ban and iptables which adds syslog logging of dropped connection attempts and cleans up the iptables rules a bit.
This regex matches dovecot authentication failures in /var/log/secure:
dovecot.*(?:authentication failure).*rhost=::ffff:(?P<host>\S*)I also tweaked the SSH failregex to make sure it only matches sshd failures.
You can download my entire configuration file here: fail2ban.conf
5 comments:
hi am trying to set up fail2ban but its not banning ftp logins can you send me the regex for vsftp i didnt see it in your fail2ban.conf
Hello,
I'm trying to get fail2ban to work with dovecot, but I haven't had luck with the exact regex you recommended, from which I conclude that my log file is in a different format from yours. Any idea what the proper regex for this kind of log entry would be?
dovecot: Dec 29 23:54:43 Info: pop3-login: Disconnected: user=[user@domain.com], method=PLAIN, rip=::ffff:192.168.1.221, lip=::ffff:192.168.1.220
I've been beating my head against a wall for some time now and I just don't "get" regex.
In response to anonymous, that log entry looks like it's from maillog, try using the secure log instead.
Maybe a correct regular expresion to be put in /etc/fail2ban/filter.d/dovecot-pop3imap.conf should be the following, so no brute force attacks can shutdown dovecot service ...
[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Disconnected \(auth failed|Disconnected \(tried to use disabled plaintext auth\)).*rip=(?P\S*),.*
ignoreregex =
thnx a lot 4 the information. ! regards from Argentina =)
Post a Comment