Fail2Ban - CentOS - Devcot
After looking at my logs I noticed that someone is trying to crack devcot, here is what you need todo to setup fail2ban to block the ips of the attacker.
You will need to create a filter file for dovecot, the first regex rule I got from the fail2ban wiki, and the second is something I came up with:
=========/etc/fail2ban/filter.d/dovecot.conf==========
# Fail2Ban configuration file
#
# Author: Maxim Badran
#
# $Revision: 1 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = dovecot.*auth\(default\): pam\(.*,<host>\): pam_authenticate\(\) failed:
dovecot.*authentication failure.*rhost\=<host>
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
=======================================
Now you need to add a new jail to /etc/fail2ban/jail.conf
===================
[dovecot-iptables]
enabled = true
filter = dovecot
action = iptables[name=Dovecot, port=110, protocol=tcp]
sendmail-whois[name=Dovecot, dest=you@yourdomain.com, sender=fail2ban@yourdomain.com]
logpath = /var/log/secure
maxretry = 5
===================
Note if pop3 is not using port 110, edit the section above and replace 110 with the pop3 port.
The last step is to reload the fail2ban rules:
fail2ban-client reload
