fail2ban + pop3 + imap

How to register unsuccesful log in on SquirrelMail webmail :
In file /etc/fail2ban/jail.conf we add the following :
enabled = true
filter = imap-login
action = iptables-multiport[name=BadBots, port=”http,https,pop3,pop3s,imap,imaps”, protocol=tcp”]
sendmail-buffered[name=BadBots, lines=5, dest=admin-postmaster@moj.domen]
logpath = /var/log/messages
maxretry = 3

We create file /etc/fail2ban/filter.d/imap-login.conf :
before = common.conf
_daemon = (?:ipop3d|imapd)
failregex = ^%(__prefix_line)sLogin (?:failed|excessive login failures) user=\S* auth=\S* host=.*\[\]\s*$
ignoreregex =

This is used to capture a log entry like this one :
Jan 16 13:07:00 mail-server imapd[30041]: Login failed user=user1 auth=user1 []
Or :
Jan 16 13:26:53 mail-server pop(pam_unix)[30585]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=user1
Jan 16 13:26:56 mail-server ipop3d[30585]: Login failed user=user1 auth=user1 host=[]

So if someone tries to log to webmail, and fails more that 3 times, or using pop3 (Outlook and similar), http(s) access to server is blocked for 600 seconds (default time), and in a second case, access by port pop3 is banned for 600sec for IP from which fals log in was tried.

Nice link.

This entry was posted in Linux and tagged , , . Bookmark the permalink.

Comments are closed.