{"id":137,"date":"2010-12-30T18:43:57","date_gmt":"2010-12-30T18:43:57","guid":{"rendered":"http:\/\/www.omniweb.com\/wordpress\/?p=137"},"modified":"2010-12-30T19:43:53","modified_gmt":"2010-12-30T19:43:53","slug":"blocking-brute-force-pop-attempts-with-fail2ban","status":"publish","type":"post","link":"https:\/\/www.omniweb.com\/wordpress\/?p=137","title":{"rendered":"Blocking brute force pop3 attempts with fail2ban"},"content":{"rendered":"

Brute force SSH attempts have dropped to zero since changing the port from the default to a non-standard one. Even though Denyhosts was working just fine for SSH, now it’s not even needed.
\nHowever, the brute force pop3 attempts were showing up fairly often – huge log bursts of failed attempt after failed attempt all from one ip address.
\nSo I installed fail2ban to handle this.
\nI added the following to \/etc\/fail2ban\/jail.conf
\n
\n[dovecot-pop3imap]
\nenabled = true
\nfilter = dovecot
\naction = iptables-multiport[name=dovecot-pop3imap, port=\"pop3,pop3s,imap,imaps\", protocol=tcp]
\n sendmail-whois[name=DOVECOT, dest=my_email<\/i>, sender=fail2ban@my_domain<\/i>]
\nlogpath = \/var\/log\/maillog
\nmaxretry = 5
\nfindtime = 600
\nbantime = 6000
\n<\/code><\/p>\n

and in the \/etc\/fail2ban\/filters.d\/ folder i add a file dovecot.conf like this
\n
\n[Definition]
\nfailregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \\(auth failed|Aborted login \\(tried to use disabled|
\nDisconnected \\(auth failed).*rip=(?P\\S*),.*
\nignoreregex =
\n<\/code><\/p>\n

and tested it out with good success (the ip was blocked after 5 failed attempts):
\n
\n$ telnet my_ip<\/i> 110
\nTrying my_ip<\/i> ...
\nConnected to my_ip<\/i>.
\nEscape character is '^]'.
\n+OK Dovecot ready.
\nuser any
\n+OK
\npass 44
\n-ERR Authentication failed.
\nquit
\n$
\n<\/code><\/p>\n

and after doing that 5 times, in the fail2ban log appears;<\/p>\n

2010-12-30 10:28:34,269 fail2ban.actions: WARNING [dovecot-pop3imap] Ban my_remote_ip<\/i><\/p>\n

and i can’t connect from my_remote_ip<\/i> any more, but restarting fail2ban unblocked me right away.<\/p>\n

I’ll see how it works “in the wild” and probably disable the email notifications once all is well. Looking forward to a few fail2ban’s in the log instead of thousands of pop3 authentication failures.<\/p>\n","protected":false},"excerpt":{"rendered":"

Brute force SSH attempts have dropped to zero since changing the port from the default to a non-standard one. Even though Denyhosts was working just fine for SSH, now it’s not even needed. However, the brute force pop3 attempts were … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.omniweb.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/137"}],"collection":[{"href":"https:\/\/www.omniweb.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.omniweb.com\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.omniweb.com\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.omniweb.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=137"}],"version-history":[{"count":13,"href":"https:\/\/www.omniweb.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/137\/revisions"}],"predecessor-version":[{"id":150,"href":"https:\/\/www.omniweb.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/137\/revisions\/150"}],"wp:attachment":[{"href":"https:\/\/www.omniweb.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=137"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.omniweb.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=137"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.omniweb.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=137"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}