Nice work. I will take a look and try it out.
> Il giorno 3 giu 2020, alle ore 17:52, Gary Bowling <g...@gbco.us> ha scritto: > > > > > It seems to work. I'm also using the /etc/fail2ban/filter.d/dovecot.conf that > is included with fail2ban. That should catch attempts on imap and pop3, but > I've never had it actually trap anything. So I'm guessing there is something > not quite right about it. > > > > If you have something there that actually works, let me know. > > > > Seems like most of the hacking on my server is trying to find smtp relays, so > maybe it's not a problem. Manually looking through the dovecot logs I don't > see a ton of attempts there. Nothing like the maillog where there seems to be > an endless list of bots hacking away. > > > > Gary > > > >> On 6/3/2020 8:37 PM, Eric Broch wrote: >> Nice, easier than mine. >> >> On 6/3/2020 6:27 PM, Gary Bowling wrote: >>> >>> Sure, here's my /etc/fail2ban/filter.d/vpopmail.conf >>> >>> [INCLUDES] >>> before = common.conf >>> >>> # vi /etc/fail2ban/filter.d/vpopmail.conf: >>> >>> [Definition] >>> failregex = vchkpw-smtp: vpopmail user not found .*:<HOST>$ >>> vchkpw-submission: vpopmail user not found .*:<HOST>$ >>> vchkpw-smtp: password fail .*:<HOST>$ >>> vchkpw-submission: password fail .*:<HOST>$ >>> ignoreregex = >>> >>> >>> >>> >>> >>> In my jail.local, I have the following for my vpopmail config. >>> >>> >>> >>> [vpopmail] >>> enabled = true >>> filter = vpopmail >>> port = pop3,pop3s,imap,imaps,submission,465 >>> logpath = /var/log/maillog >>> maxretry = 4 >>> findtime = 86400 ; 1 day >>> bantime = 10800 ; 3 hours >>> >>> >>> >>> >>> >>> On 6/3/2020 7:53 PM, Eric Broch wrote: >>>> can you share your vpopmail rules for fail2ban, config and regex? >>>> >>>> On 6/3/2020 5:48 PM, Gary Bowling wrote: >>>>> >>>>> FYI in case someone else can use this info. >>>>> >>>>> In my recent review of my server and trying to tighten up security. I >>>>> noticed that there were a number of IPs that showed up regularly in my >>>>> fail2ban firewall rules. I have a fail2ban jail for vpopmail that looks >>>>> at failed login attempts and blocks their IP addresses in iptables. >>>>> >>>>> >>>>> >>>>> One IP address in particular would attack my server, get banned by >>>>> fail2ban, and when the bantime was up, the same IP would start attacking >>>>> again, and the loop would continue. >>>>> >>>>> >>>>> >>>>> In order to try to do something about these bots, I first looked at the >>>>> "recidive" jail that is included with more recent versions of fail2ban. >>>>> >>>>> >>>>> >>>>> The recidive jail was created just for this problem. However recidive >>>>> just adds an additional jail time for a repeat offender. So, for instance >>>>> a 4 hour jail time might get increased to 1 week. But after a week it >>>>> starts over. >>>>> >>>>> >>>>> >>>>> In searching I found this article, which describes what I think is a >>>>> better approach to the issue. >>>>> >>>>> https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/ >>>>> >>>>> >>>>> >>>>> This article describes how to build a series of increased jail times for >>>>> a habitual offender. Eventually culminating in a year jail time. >>>>> >>>>> >>>>> >>>>> Thanks, Gary >>>>> >>>>> >>>>> >>>>> -- >>>>> ____________________ >>>>> Gary Bowling >>>>> The Moderns on Spotify >>>>> ____________________ >>>>> --------------------------------------------------------------------- To >>>>> unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For >>>>> additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com >>> --------------------------------------------------------------------- To >>> unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For >>> additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > --------------------------------------------------------------------- To > unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For > additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
--------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com