Saturday, August 30, 2008

Fail2Ban - CentOS - Devcot

After looking at my logs I noticed that someone is trying to crack devcot, here is what you need todo to setup fail2ban to block the ips of the attacker.

You will need to create a filter file for dovecot, the first regex rule I got from the fail2ban wiki, and the second is something I came up with:

=========/etc/fail2ban/filter.d/dovecot.conf==========

# Fail2Ban configuration file
#
# Author: Maxim Badran
#
# $Revision: 1 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = dovecot.*auth\(default\): pam\(.*,<host>\): pam_authenticate\(\) failed:
dovecot.*authentication failure.*rhost\=<host>

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

=======================================

Now you need to add a new jail to /etc/fail2ban/jail.conf

===================
[dovecot-iptables]

enabled = true
filter = dovecot
action = iptables[name=Dovecot, port=110, protocol=tcp]
sendmail-whois[name=Dovecot, dest=you@yourdomain.com, sender=fail2ban@yourdomain.com]
logpath = /var/log/secure
maxretry = 5

===================
Note if pop3 is not using port 110, edit the section above and replace 110 with the pop3 port.

The last step is to reload the fail2ban rules:
fail2ban-client reload

at Saturday, August 30, 2008