From: pe...@netsecpt.pt

> Hi , i am having an issue with dovecot , in log files of imap inactivity 
> lines have the word included "auth failed" , witch is not true , what happens 
> next is that fail2ban is looking for that word too in log file of dovecot 
> ,and when it finds it it bans my public ip address .
> Is there any change to change this behavior in dovecot , what i mean is to 
> insert "auth failed" when in fact it is an authentication failed , and not 
> use it as general for every thing in log file .

Putting aside the semantics that not supplying credentials before the
timeout *is* an auth failure,
I would think the best way to handle this is to change the pattern
fail2ban triggers to be more specific about what it considers an auth
failure.  If this is a typical log entry you want to avoid an
automatic ban

    dovecot: imap-login: Disconnected: Inactivity (auth failed, 1
attempts in 180 secs): user= ...

I would modify /etc/fail2ban/filter.d/dovecot.conf to limit it to
0-99sec like so

    failregex = ...( in \d{1,2} secs)...

Some BFD attempts will leak through but it avoids triggering on any
inactivity >99s.

Joseph Tam <jtam.h...@gmail.com>
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Reply via email to