Bingo!
Thanks, working now
On 10/5/13, Noel Butler wrote:
> On Fri, 2013-10-04 at 15:47 +1000, Nick Edwards wrote:
>> For dovecot 2.1
>>
>> as per wiki2, is this still valid? noticed a problem before and saw
>> it does seem to be triggering, I use:
>>
>
> looks out dated
>
>> filter.d/dovecot.
Thanks I have already fixed this as with my reply to Noel, his suggestion works
and, as with like your example which is same as Noels first, and as he
correctly it seems mentions with my tests with fail2ban-regex, it only
sees TLS, the deadbeats trying to brute force me, never seem to use
that, so
On 04/10/2013 1:47 AM, Nick Edwards wrote:
filter.d/dovecot.conf
[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication
failure|Aborted login \(auth failed|Aborted login \(tried to use
disabled|Disconnected \(auth failed).*rip=(?P\S*),.*
ignoreregex =
The following is included w
On Fri, 2013-10-04 at 21:55 +0200, Gordon Grubert wrote:
> >
>
> this is no problem of dovecot. Nevertheless, for analysis, you can use
> fail2ban-regex when applying your filter to your logfile.
>
Kind of right, but the dovevcot wiki apparently contains wrong
information, so I think its fai
On Fri, 2013-10-04 at 15:47 +1000, Nick Edwards wrote:
> For dovecot 2.1
>
> as per wiki2, is this still valid? noticed a problem before and saw
> it does seem to be triggering, I use:
>
looks out dated
> filter.d/dovecot.conf
That'll never work, you need to change
> [Definition]
> failrege
Hi,
On 10/04/2013 07:47 AM, Nick Edwards wrote:
> For dovecot 2.1
>
> as per wiki2, is this still valid? noticed a problem before and saw
> it does seem to be triggering, I use:
>
> maxretry = 6
> findtime = 600
> bantime = 3600
>
> and there was like, 2400 hits in 4 minutes, it is pointing t
On 04/10/2013 1:47 AM, Nick Edwards wrote:
For dovecot 2.1
as per wiki2, is this still valid? noticed a problem before and saw
it does seem to be triggering, I use:
maxretry = 6
findtime = 600
bantime = 3600
and there was like, 2400 hits in 4 minutes, it is pointing to the
correct log file,
For dovecot 2.1
as per wiki2, is this still valid? noticed a problem before and saw
it does seem to be triggering, I use:
maxretry = 6
findtime = 600
bantime = 3600
and there was like, 2400 hits in 4 minutes, it is pointing to the
correct log file, but I am no expert with fail2ban, so not sure
hi
this filter is from dovecot wiki.
bst regards.
Le 12/08/2013 23:38, Laurent Papier a écrit :
> On Mon, 12 Aug 2013 22:50:15 +0200
> Aldo Reset wrote:
>
>> hi
>>
>> dovecot filter for fail2ban do not match:
>>
>> dovecot: pop3-login: Aborted login (tried to use disallowed plaintext auth):
On Mon, 12 Aug 2013 22:50:15 +0200
Aldo Reset wrote:
> hi
>
> dovecot filter for fail2ban do not match:
>
> dovecot: pop3-login: Aborted login (tried to use disallowed plaintext auth):
> user=<>, rip=67
>
> dovecot filter:
> failregex = (?: pop3-login|imap-login): (?:Authentication failure|Ab
hi
dovecot filter for fail2ban do not match:
dovecot: pop3-login: Aborted login (tried to use disallowed plaintext auth):
user=<>, rip=67
dovecot filter:
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login
\(auth failed|Aborted login \(tried to use disabled|Disconne
Hello Mark (and others),
On 16-07-13 05:00, Mark Sapiro wrote:
> On 07/15/2013 09:09 AM, Paul van der Vlis wrote:
>>
>> Are you blocked when you login a few times with a wrong password?
>>
>> I expect your log will say something like "auth failed, 22 attempts in
>> 30 secs", and fail2ban will see
On 07/15/2013 09:09 AM, Paul van der Vlis wrote:
>
> Are you blocked when you login a few times with a wrong password?
>
> I expect your log will say something like "auth failed, 22 attempts in
> 30 secs", and fail2ban will see that as 1 authentications error, so will
> not block you.
I am bloc
On 14-07-13 20:52, Mark Sapiro wrote:
> On 07/14/2013 03:26 AM, Paul van der Vlis wrote:
>> Hello,
>>
>> Dovecot is logging authentication failures this way:
>> --
>> Jul 12 18:07:19 vps0 dovecot: imap-login: Disconnected (auth failed, 22
>> attempts in 172 secs): user=, method=PLAIN, rip=82.95
On 07/14/2013 03:26 AM, Paul van der Vlis wrote:
> Hello,
>
> Dovecot is logging authentication failures this way:
> --
> Jul 12 18:07:19 vps0 dovecot: imap-login: Disconnected (auth failed, 22
> attempts in 172 secs): user=, method=PLAIN, rip=82.95.148.152,
> lip=1.2.3.4, TLS, session=
>
Hello,
Dovecot is logging authentication failures this way:
--
Jul 12 18:07:19 vps0 dovecot: imap-login: Disconnected (auth failed, 22
attempts in 172 secs): user=, method=PLAIN, rip=82.95.148.152,
lip=1.2.3.4, TLS, session=
--
Fail2ban is trying to catch them with this regex:
--
fail
On 6/10/2010 5:38 PM, fakessh wrote:
hi dovecot network
the principle of fail2ban is repeated for connections with the same login
fail2ban does not work if the attack changes to login every time
this type of attack is rather to find valid user accounts
I may be wrong, I hope I too am a victim
My regex to fail2ban for dovecot 2.0beta5 in user in sql base work like
this!
failregex = dovecot: auth: sql.*,.*: Password mismatch
> dovecot: auth: sql.*,.*: unknown user
>
And if you use smtp-auth in postfix truth dovecot here it is my regex for it
failregex = warning:.*\[.*:
Yeah, you're wrong. With regexp, you can have fail2ban ignore any part of the
log
file, as in ANYTHING containing text around anything will be caught. You
can have fail2ban ban every ip address that shows up in the log!
On 6/10/2010 5:38 PM, fakessh wrote:
"hi dovecot network
the principle o
I have fail2ban working for EVERYTHING else except dovecot. I have tried
using my own custom regex in conjunction with the regex on the
dovecot.org site. Neither are picked up by fail2ban and I'm trying to
use an imminent attack agaist dovecot, going on now, to my advantage to
see when I get th
hi dovecot network
the principle of fail2ban is repeated for connections with the same login
fail2ban does not work if the attack changes to login every time
this type of attack is rather to find valid user accounts
I may be wrong, I hope I too am a victim of this kind of attacks
On Thu, 10 Ju
On Thu, Jun 10, 2010 at 5:38 PM, fakessh wrote:
> hi dovecot network
>
> the principle of fail2ban is repeated for connections with the same login
> fail2ban does not work if the attack changes to login every time
> this type of attack is rather to find valid user accounts
>
>
> I may be wrong, I
On 11:59 AM, Jerrale Gayle wrote:
> I have fail2ban working for EVERYTHING else except dovecot. I have tried
> using my own custom regex in conjunction with the regex on the
> dovecot.org site. Neither are picked up by fail2ban and I'm trying to
> use an imminent attack agaist dovecot, going on now
On Sun, 2009-05-17 at 15:28 -0400, Lou Duchez wrote:
> > Yeah. I don't know what I was thinking when I made it work like that.
> >
> I know what you were thinking: if dovecot is writing to a log such as
> "mylogfile.log", and other utilities are also writing to
> "mylogfile.log", it's good to
Timo Sirainen wrote:
> On Mon, 2009-05-11 at 14:48 -0700, Bill Landry wrote:
>>> If you log via syslog, the timestamp will be at the beginning of line.
>>
>> Well, then that would explain it. Maybe it would be a good idea then to
>> remove the "dovecot: " from the beginning of each log line when n
Yeah. I don't know what I was thinking when I made it work like that.
I know what you were thinking: if dovecot is writing to a log such as
"mylogfile.log", and other utilities are also writing to
"mylogfile.log", it's good to know which lines are dovecot.
But I am satisfied with using sy
On Mon, 2009-05-11 at 14:48 -0700, Bill Landry wrote:
> > If you log via syslog, the timestamp will be at the beginning of line.
>
> Well, then that would explain it. Maybe it would be a good idea then to
> remove the "dovecot: " from the beginning of each log line when not
> using syslog for log
Ed W wrote:
Just when I think I've achieved ultimate pefection on this, someone
comes along with a great idea. Thanks!
...
action = iptables-multiport[name=smtppop3imap,
port="smtp,pop3,imap", protocol=tcp]
Can I suggest the name "mail" would summarise the stack of items above?
Did you
Just when I think I've achieved ultimate pefection on this, someone
comes along with a great idea. Thanks!
...
action = iptables-multiport[name=smtppop3imap,
port="smtp,pop3,imap", protocol=tcp]
Can I suggest the name "mail" would summarise the stack of items above?
Did you test this - i
Ed W wrote:
Lou Duchez wrote:
So any failure at any of the three protocols (SMTP, POP3, IMAP) is
considered a "strike" by all three, and they should all ban the same
guys at the same time. This is as yet untested, but seems like it
should be pretty sound.
I think you only need one service
Lou Duchez wrote:
Ed W wrote:
Lou Duchez wrote:
This arrangement is designed to trap POP3 and IMAP separately, and
also to allow a high number of errors before temporarily "jailing" a
user. This is to decrease the likelihood that a single user from a
single IP will get all his coworkers (tem
Lou Duchez wrote:
So any failure at any of the three protocols (SMTP, POP3, IMAP) is
considered a "strike" by all three, and they should all ban the same
guys at the same time. This is as yet untested, but seems like it
should be pretty sound.
I think you only need one service and you can u
Ed W wrote:
Lou Duchez wrote:
This arrangement is designed to trap POP3 and IMAP separately, and
also to allow a high number of errors before temporarily "jailing" a
user. This is to decrease the likelihood that a single user from a
single IP will get all his coworkers (temporarily) banned ov
Lou Duchez wrote:
This arrangement is designed to trap POP3 and IMAP separately, and
also to allow a high number of errors before temporarily "jailing" a
user. This is to decrease the likelihood that a single user from a
single IP will get all his coworkers (temporarily) banned over an
honest
On Mon, 11 May 2009 15:56:45 -0400
Lou Duchez wrote:
> Hi,
>
> Is there any way to disable the "dovecot: " at the beginning of each
> line of the log? Fail2Ban responds poorly to it. I know there are a
> number of sites with "failregex" strings for Fail2Ban and Dovecot, but
> I've tried the
Maybe there could be a page in the dovecot wiki about Fail2Ban? A
definitive Dovecot / Fail2ban resource would be useful. (If nobody
else creates one in a week, perhaps I will. But I have to perfect my
Fail2banning first ...)
I couldn't figure out how to add new pages to wiki.doveco
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Mon, 11 May 2009, Bill Landry wrote:
Well, then that would explain it. Maybe it would be a good idea then to
remove the "dovecot: " from the beginning of each log line when not
using syslog for logging, since I'm pretty sure that anyone checking
be there could be a page in the dovecot wiki about Fail2Ban? A
definitive Dovecot / Fail2ban resource would be useful. (If nobody else
creates one in a week, perhaps I will. But I have to perfect my
Fail2banning first ...)
Thanks, guys, for helping me out!
Timo Sirainen wrote:
> On Mon, 2009-05-11 at 17:15 -0400, Lou Duchez wrote:
>> Re: the "dovecot: " at the beginning of the line in the log. I should
>> mention that other applications encounter a similar issue with Fail2Ban
>> -- for example, if you're running Asterisk, you have to alter the log
On Mon, 2009-05-11 at 17:15 -0400, Lou Duchez wrote:
> Re: the "dovecot: " at the beginning of the line in the log. I should
> mention that other applications encounter a similar issue with Fail2Ban
> -- for example, if you're running Asterisk, you have to alter the log
> format such that the t
Re: the "dovecot: " at the beginning of the line in the log. I should
mention that other applications encounter a similar issue with Fail2Ban
-- for example, if you're running Asterisk, you have to alter the log
format such that the timestamp is at the beginning of the line:
http://www.voip-i
Original-Nachricht
> Datum: Mon, 11 May 2009 15:56:45 -0400
> Von: Lou Duchez
> An: dovecot@dovecot.org
> Betreff: [Dovecot] Fail2Ban and the Dovecot log
> Hi,
>
Hello
> Is there any way to disable the "dovecot: " at the beginning of eac
Bill Landry wrote:
> Lou Duchez wrote:
>
>> Is there any way to disable the "dovecot: " at the beginning of each
>> line of the log? Fail2Ban responds poorly to it. I know there are a
>> number of sites with "failregex" strings for Fail2Ban and Dovecot, but
>> I've tried them all, and they don't
Lou Duchez wrote:
> Is there any way to disable the "dovecot: " at the beginning of each
> line of the log? Fail2Ban responds poorly to it. I know there are a
> number of sites with "failregex" strings for Fail2Ban and Dovecot, but
> I've tried them all, and they don't work, at least with the la
Hi,
Is there any way to disable the "dovecot: " at the beginning of each
line of the log? Fail2Ban responds poorly to it. I know there are a
number of sites with "failregex" strings for Fail2Ban and Dovecot, but
I've tried them all, and they don't work, at least with the latest
Fail2ban and
45 matches
Mail list logo
