WJCarpenter wrote:
Is there any option available for me to help inhibit/prevent
brute-force login attempts?
I (and many others) use fail2ban. It works outside of dovecot, et al,
by tailing your log files. When it finds a configurable
Just to document that solution. This watches postfix AND dovecot logs
since I found botnets slowly trying both alternately.
Create filter.d/mail.conf
>>>>>>>>>>>>>>>>>
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag
"<HOST>" can
# be used for standard IP/hostname matching and is only an
alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
# Match:
# Mar 2 15:07:09 mail1 dovecot: auth(default):
digest-md5(b...@asdf.com,212.183.136.194): password mismatch
# Feb 26 19:32:52 mail1 dovecot: auth-worker(default):
sql(b...@asdf.com,212.227.250.38): unknown user
# Mar 2 14:45:16 mail1 postfix/smtpd[27401]: warning:
c70-165.i07-18.onvol.net[92.251.70.165]: SASL PLAIN authentication failed:
#
failregex = : warning: [-._\w]+\[<HOST>\]: SASL
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$
failregex = dovecot: auth.*\(.*,<HOST>\): (unknown user|password mismatch)$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
>>>>>>>>>>>>>>>>>>
Then in jail.conf add lines like:
[mail-iptables]
enabled = true
filter = mail
action = iptables-multiport-log[name=mail,
port="smtp,smtps,submission,imap,imaps,pop3,pop3s", protocol=tcp]
sendmail-whois[name=mail, dest=postmas...@yourdomain.com,
sender=fail2...@yourdomain.com]
logpath = /var/log/mail.log
bantime = 3600
Hope this helps
Ed W
