Thursday, August 31, 2006

fail2ban, dovecot and brute force attacks

I needed a way to help stop/slow down brute force password attacks on a dovecot pop3 server running on Fedora Core 5. I heard about fail2ban on the dovecot list, it can scan any log file and any time it matches a regex in the log, you can have it block a host using iptables.

When setting fail2ban 0.6.1 up, I also took the tips from The Art of Web ~ System: fail2ban and iptables which adds syslog logging of dropped connection attempts and cleans up the iptables rules a bit.

This regex matches dovecot authentication failures in /var/log/secure:
dovecot.*(?:authentication failure).*rhost=::ffff:(?P<host>\S*)

I also tweaked the SSH failregex to make sure it only matches sshd failures.

You can download my entire configuration file here: fail2ban.conf