I have fail2ban working for EVERYTHING else except dovecot. I have tried
using my own custom regex in conjunction with the regex on the
dovecot.org site. Neither are picked up by fail2ban and I'm trying to
use an imminent attack agaist dovecot, going on now, to my advantage to
see when I get the right regexp. Here are my current ones:
failregex = .*dovecot: (?:pop3-login|imap-login):
(?:Disconnected|Aborted login) \((?:auth failed, .* attempts|no auth
attempts)\):.*rip=<HOST>,.* <<< this is my custom
(?: pop3-login|imap-login): (?:Authentication
failure|Aborted login \(auth failed|Aborted login \(tried to use
disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* <<<
from
dovecot.org
.*warning:.\S*\[(?P<host>)\]:
SASL.(?:PLAIN|LOGIN).authentication failed:.*
Here is the current attack:
Jun 10 17:18:10 mail dovecot: pop3-login: Disconnected (auth failed, 1
attempts): user=<rahul>, method=PLAIN, rip=113.12.82.71, lip=173.50.101.12
Can someone help me out a little?
Thanks,
Jerrale G
hi dovecot network the principle of fail2ban is repeated for connections with the same login fail2ban does not work if the attack changes to login every time this type of attack is rather to find valid user accounts I may be wrong, I hope I too am a victim of this kind of attacks On Thu, 10 Jun 2010 17:19:24 -0400, Jerrale Gayle <jerralegayle at sheltoncomputers.com> wrote:> I have fail2ban working for EVERYTHING else except dovecot. I have tried> using my own custom regex in conjunction with the regex on the > dovecot.org site. Neither are picked up by fail2ban and I'm trying to > use an imminent attack agaist dovecot, going on now, to my advantage to > see when I get the right regexp. Here are my current ones: > > failregex = .*dovecot: (?:pop3-login|imap-login): > (?:Disconnected|Aborted login) \((?:auth failed, .* attempts|no auth > attempts)\):.*rip=<HOST>,.* <<< this is my custom > (?: pop3-login|imap-login): (?:Authentication > failure|Aborted login \(auth failed|Aborted login \(tried to use > disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* <<< from > dovecot.org > .*warning:.\S*\[(?P<host>)\]: > SASL.(?:PLAIN|LOGIN).authentication failed:.* > > Here is the current attack: > > Jun 10 17:18:10 mail dovecot: pop3-login: Disconnected (auth failed, 1 > attempts): user=<rahul>, method=PLAIN, rip=113.12.82.71,lip=173.50.101.12> > > Can someone help me out a little? > > Thanks, > > Jerrale G
On 11:59 AM, Jerrale Gayle wrote:> I have fail2ban working for EVERYTHING else except dovecot. I have tried > using my own custom regex in conjunction with the regex on the > dovecot.org site. Neither are picked up by fail2ban and I'm trying to > use an imminent attack agaist dovecot, going on now, to my advantage to > see when I get the right regexp. Here are my current ones: > > failregex = .*dovecot: (?:pop3-login|imap-login): > (?:Disconnected|Aborted login) \((?:auth failed, .* attempts|no auth > attempts)\):.*rip=<HOST>,.* <<< this is my customThere is an extra space following "(?:Disconnected|Aborted login)" in the above. There should be only one space, not two. Note that fail2ban comes with a fail2ban-regex command for testing regexps against logs or log lines.> (?: pop3-login|imap-login): (?:Authentication > failure|Aborted login \(auth failed|Aborted login \(tried to use > disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* <<< from > dovecot.org > .*warning:.\S*\[(?P<host>)\]: > SASL.(?:PLAIN|LOGIN).authentication failed:.* > > Here is the current attack: > > Jun 10 17:18:10 mail dovecot: pop3-login: Disconnected (auth failed, 1 > attempts): user=<rahul>, method=PLAIN, rip=113.12.82.71, lip=173.50.101.12-- Mark Sapiro <mark at msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan