Some bad guys tried thousand times to guess pop user account and password. I decided that brute force attacks on dovecot should be banned similar as what I had done on vsftpd. To start up the protection, the following lines are added in /etc/fail2ban/jail.conf
[pop-iptables]
# Option: enabled
# Notes.: enable monitoring for this section.
# Values: [true | false] Default: true
#
enabled = true
filter = pop
action = iptables[name=pop, port=pop, protocol=tcp]
sendmail-whois[name=pop, dest=root]
logpath = /var/log/secure
maxretry = 5
Fail2ban reported a failure on fail2ban-pop chain. The mistake was that there is no a port called pop in /etc/services. The correct name of the port should be pop3 instead of pop. What a careless mistake I had made. After revising as follows, fail2ban started successfully and attacks on dovecot were tested successfully banned :
[pop3-iptables]
# Option: enabled
# Notes.: enable monitoring for this section.
# Values: [true | false] Default: true
#
enabled = true
filter = pop3
action = iptables[name=pop3, port=pop3, protocol=tcp]
sendmail-whois[name=pop3, dest=root]
logpath = /var/log/secure
maxretry = 5
No comments:
Post a Comment