Added on Jun 28th, 2012 and marked as fail2ban log security server

Using Fail2Ban it is possible to keep brute-force attackers out.

apt-get install fail2ban

Create the file /etc/fail2ban/filter.d/dovecot-pop3imap.conf and add the following lines:

[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
ignoreregex =

This adds a regular expression telling fail2ban what a failed login attempt looks like.

Edit /etc/fail2ban/jail.conf. First enable the postfix by settings enabled = true:

[postfix]

enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log

Then add a section for the dovecot configuration we created earlier:

[dovecot-pop3imap]

enabled  = true
port     = pop3,pop3s,imap,imaps
filter   = dovecot-pop3imap
logpath  = /var/log/mail.log

Restart fail2ban:

service fail2ban restart

To check if everything is working fine, you can wait for attackers to show up, or you can create some fake log entries:

logger -p mail.info -t dovecot "imap-login: Aborted login (auth failed, 2 attempts): user=<dummyuser>, method=PLAIN, rip=10.20.30.40, lip=1.2.3.4, TLS"

Running this command at least 3 times in 10 minutes will trigger fail2ban to block the IP-address 10.20.30.40. The logfile /var/log/fail2ban.log should contain a line like this:

fail2ban.actions: WARNING [dovecot-pop3imap] Ban 10.20.30.40

Alternative settings

If the above settings do not work, you might try the following settings:

In the filter file /etc/fail2ban/filter.d/dovecot-pop3imap.conf:

[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login (auth failed|Aborted login (tried to use disabled|Disconnected (auth failed).*rip=(?P<host>S*),.*
ignoreregex =

And in /etc/fail2ban/jail.conf:

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 20
findtime = 1200
bantime = 1200

Background information