Lou Duchez wrote:
Ed W wrote:
Lou Duchez wrote:
This arrangement is designed to trap POP3 and IMAP separately, and
also to allow a high number of errors before temporarily "jailing" a
user. This is to decrease the likelihood that a single user from a
single IP will get all his coworkers (temporarily) banned over an
honest mistake in configuration.
I have noticed recent breaking attempts which appear to be a slow
coordinated botnet using multiple IPs and trying a combination of
SMTP + POP + IMAP (can't remember if it did both of the later or just
POP?).
As a result I tried to combine all three into a single test.
Actually I did the wrong thing, but if you look through my previous
posts you can see someone (Bill?) correct me and post the correct
config for this
I would recommend you be aware of this - in my case I was seeing less
than a few attempts from a given IP in a 10 min period, but lots of
what appeared to be coordinated attempts at the server level. (eg
some servers were only trying a few logins per day, but across enough
IP addresses this was a fairly rapidly filling the logs)
Good luck
Ed W
Thanks for the heads-up! Okay then, perhaps the best solution is to
make use of the "ignoreip" setting in jail.conf to protect known IP
addresses, something like this:
(snip)
Or even smarter: create a single filter file called smtppop3imap.conf,
and use that same filter for SMTP, POP3, and IMAP. Here's what the
filter would look like:
[Definition]
failregex = : warning: [-._\w]+\[<HOST>\]: SASL
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
(?: pop3-login|imap-login): (?:Authentication
failure|Aborted login \(auth failed|Disconnected \(auth
failed).*rip=(?P<host>\S*),.*
ignoreregex =
The first regex will cover SMTP authentication errors generated by
Postfix. The second regex is for Dovecot and authentication errors with
POP3 and IMAP.
Sorry to keep posting iterative improvements; every time I think I'm
done, I come up with something better (and perhaps worth sharing).
