dovecot - Jul 2015 - dovecot auth using 100% CPU

Jorge Bastos <mysql.jorge at decimal.pt> wrote:
> What do you see in the logs?
> My guess is that someone is trying a brute force auth against you,
Thanks Jorge, I think this is the answer. I'm using dovecot for exim4 SMTP
authentication. The exim4 logs show brute force attacks.

-- 
Edward.

>>>>> Edward Betts <edward at 4angle.com>:
> Jorge Bastos <mysql.jorge at decimal.pt> wrote:
>> What do you see in the logs?
>> My guess is that someone is trying a brute force auth against you,
> Thanks Jorge, I think this is the answer. I'm using dovecot for exim4
SMTP
> authentication. The exim4 logs show brute force attacks.
A little late response, but since you're using debian you could try
pulling in fail2ban:
 apt-get install fail2ban

fail2ban scans the logs of various services for attacks and firewalls
out the attacking IP addresses.

There are no built-in rules for exim or dovecot in the debian fail2ban
package, but there is something here that could possibly be adapted...?
 http://wiki2.dovecot.org/HowTo/Fail2Ban

Here's a filter for exim:
 https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/exim.conf

Am Freitag, den 03.07.2015, 14:28 +0200 schrieb Steinar
Bang:
> > 
> fail2ban scans the logs of various services for attacks and firewalls
> out the attacking IP addresses.
> 
> There are no built-in rules for exim or dovecot in the debian 
> fail2ban
> package, but there is something here that could possibly be 
> adapted...?
Are you talking about wheezy or jessie?
jessie has rules. But they need to be enabled like this:

# cat /etc/fail2ban/jail.d/local.conf 
[exim]
enabled = true

[exim-spam]
enabled = true

[dovecot]
enabled = true