Using Fail2Ban it is possible to keep brute-force attackers out.
apt-get install fail2ban
Create the file /etc/fail2ban/filter.d/dovecot-pop3imap.conf
and add the following lines:
[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
ignoreregex =
This adds a regular expression telling fail2ban
what a failed login attempt looks like.
Edit /etc/fail2ban/jail.conf
. First enable the postfix
by settings enabled = true
:
[postfix]
enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
Then add a section for the dovecot
configuration we created earlier:
[dovecot-pop3imap]
enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot-pop3imap
logpath = /var/log/mail.log
Restart fail2ban
:
service fail2ban restart
To check if everything is working fine, you can wait for attackers to show up, or you can create some fake log entries:
logger -p mail.info -t dovecot "imap-login: Aborted login (auth failed, 2 attempts): user=<dummyuser>, method=PLAIN, rip=10.20.30.40, lip=1.2.3.4, TLS"
Running this command at least 3 times in 10 minutes will trigger fail2ban
to block the IP-address 10.20.30.40. The logfile /var/log/fail2ban.log
should contain a line like this:
fail2ban.actions: WARNING [dovecot-pop3imap] Ban 10.20.30.40
Alternative settings
If the above settings do not work, you might try the following settings:
In the filter file /etc/fail2ban/filter.d/dovecot-pop3imap.conf
:
[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login (auth failed|Aborted login (tried to use disabled|Disconnected (auth failed).*rip=(?P<host>S*),.*
ignoreregex =
And in /etc/fail2ban/jail.conf
:
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 20
findtime = 1200
bantime = 1200