2010/04/29

Use fail2ban to protect dovecot against brute force attacks

From time to time, I find brute force attacks on pop and imap in addition to ftp and ssh. The fail2ban version I have can offer brute force protection for ftpd and sshd but not dovecot. In order to achieve the same for dovecot, the following files must be added under the fail2ban folder:

/etc/fail2ban/filter.d/dovecot.conf

[Definition]
failregex = dovecot-auth: pam_unix\(dovecot:auth\):
authentication failure; .* rhost=(?:\s+user=\S*)?\s*$
ignoreregex =

/etc/fail2ban/jail.conf

[dovecot-iptables]

enabled = true
filter = dovecot
action = iptables-multiport[name=Dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
sendmail-whois[name=Dovecot, dest=you at mail.com]
logpath = /var/log/secure
maxretry = 5
bantime = 1800
ignoreip = 127.0.0.1

This works quite well. No more worry on unlimited meaningless break-in trials on port 110 and port 143.

1 comment:

Michael Mol said...

I'm noticing that fail2ban appears to have modified netfilter using iptables, but not ip6tables, so IPv6 is unaffected. Does this appear to be the case for you?