From: pe...@netsecpt.pt
> Hi , i am having an issue with dovecot , in log files of imap inactivity
> lines have the word included "auth failed" , witch is not true , what happens
> next is that fail2ban is looking for that word too in log file of dovecot
> ,and when it finds it it bans my public ip address .
> Is there any change to change this behavior in dovecot , what i mean is to
> insert "auth failed" when in fact it is an authentication failed , and not
> use it as general for every thing in log file .
Putting aside the semantics that not supplying credentials before the
timeout *is* an auth failure,
I would think the best way to handle this is to change the pattern
fail2ban triggers to be more specific about what it considers an auth
failure. If this is a typical log entry you want to avoid an
automatic ban
dovecot: imap-login: Disconnected: Inactivity (auth failed, 1
attempts in 180 secs): user= ...
I would modify /etc/fail2ban/filter.d/dovecot.conf to limit it to
0-99sec like so
failregex = ...( in \d{1,2} secs)...
Some BFD attempts will leak through but it avoids triggering on any
inactivity >99s.
Joseph Tam <jtam.h...@gmail.com>
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
