Blocking brute force pop3 attempts with fail2ban

Brute force SSH attempts have dropped to zero since changing the port from the default to a non-standard one. Even though Denyhosts was working just fine for SSH, now it’s not even needed.
However, the brute force pop3 attempts were showing up fairly often – huge log bursts of failed attempt after failed attempt all from one ip address.
So I installed fail2ban to handle this.
I added the following to /etc/fail2ban/jail.conf

[dovecot-pop3imap]
enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
sendmail-whois[name=DOVECOT, dest=my_email, sender=fail2ban@my_domain]
logpath = /var/log/maillog
maxretry = 5
findtime = 600
bantime = 6000

and in the /etc/fail2ban/filters.d/ folder i add a file dovecot.conf like this

[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|
Disconnected \(auth failed).*rip=(?P\S*),.*
ignoreregex =

and tested it out with good success (the ip was blocked after 5 failed attempts):

$ telnet my_ip 110
Trying my_ip ...
Connected to my_ip.
Escape character is '^]'.
+OK Dovecot ready.
user any
+OK
pass 44
-ERR Authentication failed.
quit
$

and after doing that 5 times, in the fail2ban log appears;

2010-12-30 10:28:34,269 fail2ban.actions: WARNING [dovecot-pop3imap] Ban my_remote_ip

and i can’t connect from my_remote_ip any more, but restarting fail2ban unblocked me right away.

I’ll see how it works “in the wild” and probably disable the email notifications once all is well. Looking forward to a few fail2ban’s in the log instead of thousands of pop3 authentication failures.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *