Sure, here's my /etc/fail2ban/filter.d/vpopmail.conf

before = common.conf

# vi /etc/fail2ban/filter.d/vpopmail.conf:

failregex = vchkpw-smtp: vpopmail user not found .*:<HOST>$
            vchkpw-submission: vpopmail user not found .*:<HOST>$
            vchkpw-smtp: password fail .*:<HOST>$
            vchkpw-submission: password fail .*:<HOST>$
ignoreregex =

In my jail.local, I have the following for my vpopmail config.

enabled = true
filter = vpopmail
port    = pop3,pop3s,imap,imaps,submission,465
logpath = /var/log/maillog
maxretry = 4
findtime = 86400 ; 1 day
bantime = 10800 ; 3 hours

On 6/3/2020 7:53 PM, Eric Broch wrote:

can you share your vpopmail rules for fail2ban, config and regex?

On 6/3/2020 5:48 PM, Gary Bowling wrote:

FYI in case someone else can use this info.

In my recent review of my server and trying to tighten up security. I noticed that there were a number of IPs that showed up regularly in my fail2ban firewall rules. I have a fail2ban jail for vpopmail that looks at failed login attempts and blocks their IP addresses in iptables.

One IP address in particular would attack my server, get banned by fail2ban, and when the bantime was up, the same IP  would start attacking again, and the loop would continue.

In order to try to do something about these bots, I first looked at the "recidive" jail that is included with more recent versions of fail2ban.

The recidive jail was created just for this problem. However recidive just adds an additional jail time for a repeat offender. So, for instance a 4 hour jail time might get increased to 1 week. But after a week it starts over.

In searching I found this article, which describes what I think is a better approach to the issue.

This article describes how to build a series of increased jail times for a habitual offender. Eventually culminating in a year jail time.

Thanks, Gary

Gary Bowling
The Moderns on Spotify
--------------------------------------------------------------------- To unsubscribe, e-mail: For additional commands, e-mail:
--------------------------------------------------------------------- To unsubscribe, e-mail: For additional commands, e-mail:

Reply via email to