Nice work. I will take a look and try it out. 

> Il giorno 3 giu 2020, alle ore 17:52, Gary Bowling <g...@gbco.us> ha scritto:
> 
> 
> 
> 
> It seems to work. I'm also using the /etc/fail2ban/filter.d/dovecot.conf that 
> is included with fail2ban. That should catch attempts on imap and pop3, but 
> I've never had it actually trap anything. So I'm guessing there is something 
> not quite right about it.
> 
> 
> 
> If you have something there that actually works, let me know.
> 
> 
> 
> Seems like most of the hacking on my server is trying to find smtp relays, so 
> maybe it's not a problem. Manually looking through the dovecot logs I don't 
> see a ton of attempts there. Nothing like the maillog where there seems to be 
> an endless list of bots hacking away. 
> 
> 
> 
> Gary
> 
> 
> 
>> On 6/3/2020 8:37 PM, Eric Broch wrote:
>> Nice, easier than mine.
>> 
>> On 6/3/2020 6:27 PM, Gary Bowling wrote:
>>> 
>>> Sure, here's my /etc/fail2ban/filter.d/vpopmail.conf
>>> 
>>> [INCLUDES]
>>> before = common.conf
>>> 
>>> # vi /etc/fail2ban/filter.d/vpopmail.conf:
>>> 
>>> [Definition]
>>> failregex = vchkpw-smtp: vpopmail user not found .*:<HOST>$
>>>             vchkpw-submission: vpopmail user not found .*:<HOST>$
>>>             vchkpw-smtp: password fail .*:<HOST>$
>>>             vchkpw-submission: password fail .*:<HOST>$
>>> ignoreregex =
>>> 
>>> 
>>> 
>>> 
>>> 
>>> In my jail.local, I have the following for my vpopmail config. 
>>> 
>>> 
>>> 
>>> [vpopmail]
>>> enabled = true
>>> filter = vpopmail
>>> port    = pop3,pop3s,imap,imaps,submission,465
>>> logpath = /var/log/maillog
>>> maxretry = 4
>>> findtime = 86400 ; 1 day
>>> bantime = 10800 ; 3 hours
>>> 
>>> 
>>> 
>>> 
>>> 
>>> On 6/3/2020 7:53 PM, Eric Broch wrote:
>>>> can you share your vpopmail rules for fail2ban, config and regex?
>>>> 
>>>> On 6/3/2020 5:48 PM, Gary Bowling wrote:
>>>>> 
>>>>> FYI in case someone else can use this info. 
>>>>> 
>>>>> In my recent review of my server and trying to tighten up security. I 
>>>>> noticed that there were a number of IPs that showed up regularly in my 
>>>>> fail2ban firewall rules. I have a fail2ban jail for vpopmail that looks 
>>>>> at failed login attempts and blocks their IP addresses in iptables. 
>>>>> 
>>>>> 
>>>>> 
>>>>> One IP address in particular would attack my server, get banned by 
>>>>> fail2ban, and when the bantime was up, the same IP  would start attacking 
>>>>> again, and the loop would continue. 
>>>>> 
>>>>> 
>>>>> 
>>>>> In order to try to do something about these bots, I first looked at the 
>>>>> "recidive" jail that is included with more recent versions of fail2ban. 
>>>>> 
>>>>> 
>>>>> 
>>>>> The recidive jail was created just for this problem. However recidive 
>>>>> just adds an additional jail time for a repeat offender. So, for instance 
>>>>> a 4 hour jail time might get increased to 1 week. But after a week it 
>>>>> starts over.
>>>>> 
>>>>> 
>>>>> 
>>>>> In searching I found this article, which describes what I think is a 
>>>>> better approach to the issue. 
>>>>> 
>>>>> https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/
>>>>> 
>>>>> 
>>>>> 
>>>>> This article describes how to build a series of increased jail times for 
>>>>> a habitual offender. Eventually culminating in a year jail time.
>>>>> 
>>>>> 
>>>>> 
>>>>> Thanks, Gary 
>>>>> 
>>>>> 
>>>>> 
>>>>> -- 
>>>>> ____________________
>>>>> Gary Bowling
>>>>> The Moderns on Spotify 
>>>>> ____________________
>>>>> --------------------------------------------------------------------- To 
>>>>> unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For 
>>>>> additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>>> --------------------------------------------------------------------- To 
>>> unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For 
>>> additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
> --------------------------------------------------------------------- To 
> unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For 
> additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Reply via email to