Good reminder to check my fail2ban config. I did and found that it wasn't running since moving my config over to Centos 7 and rebuilding my server.

The systemctl status fail2ban.service gives me no information as to why it's not starting nor do the logs.

So, I guess I need to do some more investigating as to why my service is not starting. Any ideas would be helpful. I'm running the same configs as are listed in the referenced wiki.


On 6/3/2019 7:37 AM, Angus McIntyre wrote:
If you're smart, you're probably running 'fail2ban' (or something similar) on your qmailtoaster to block password-guessing attempts. You may also have used the rules given at:

to configure it.

This morning I happened to check my logs and discovered a ridiculous number of password-guessing attempts from a single IP, all of which had apparently gone unblocked by fail2ban. It turned out that the attacker was sending an empty password string, so that the log lines looked something like:

     vchkpw-submission: null password given phil:

There was no corresponding rule in my '/etc/fail2ban/filter.d/vpopmail.conf' to capture this case, so the attacker was able to try over and over again, unbanned.

The attack script seems to be badly broken: it hits the same usernames over and over again, always with the same null password, and without even including the hostname part of the username (i.e. 'phil' rather than ''), so I'd rate its chances of succeeding as minimal. Still, it'll inflate your log files, so you probably want to ban it.

So you might want to consider tweaking your fail2ban configuration to ensure that the failregex in 'vpopmail.conf' successfully matches 'null password given' as well as the default 'vpopmail user not found' string.


To unsubscribe, e-mail:
For additional commands, e-mail:

--------------------------------------------------------------------- To unsubscribe, e-mail: For additional commands, e-mail:

Reply via email to