fail2ban + pop3 + imap

How to register unsuccesful log in on SquirrelMail webmail :
In file /etc/fail2ban/jail.conf we add the following :
[imap-login]
enabled = true
filter = imap-login
action = iptables-multiport[name=BadBots, port=”http,https,pop3,pop3s,imap,imaps”, protocol=tcp”]
sendmail-buffered[name=BadBots, lines=5, dest=admin-postmaster@moj.domen]
logpath = /var/log/messages
maxretry = 3

We create file /etc/fail2ban/filter.d/imap-login.conf :
[INCLUDES]
before = common.conf
[Definition]
_daemon = (?:ipop3d|imapd)
failregex = ^%(__prefix_line)sLogin (?:failed|excessive login failures) user=\S* auth=\S* host=.*\[\]\s*$
ignoreregex =

This is used to capture a log entry like this one :
Jan 16 13:07:00 mail-server imapd[30041]: Login failed user=user1 auth=user1 host=mail-server.my.domain [10.10.10.11]
Or :
Jan 16 13:26:53 mail-server pop(pam_unix)[30585]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=10.10.10.12 user=user1
Jan 16 13:26:56 mail-server ipop3d[30585]: Login failed user=user1 auth=user1 host=[10.10.10.12]

So if someone tries to log to webmail, and fails more that 3 times, or using pop3 (Outlook and similar), http(s) access to server is blocked for 600 seconds (default time), and in a second case, access by port pop3 is banned for 600sec for IP from which fals log in was tried.

Nice link.

This entry was posted in Linux and tagged , , . Bookmark the permalink.

Comments are closed.