Hi
What about below?
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = vchkpw-pop3: vpopmail user not found .*@.*:<HOST>$
vchkpw-pop3: vpopmail user not found .*@:<HOST>$
vchkpw-pop3: vpopmail user not found .*@.*:<HOST>..$
vchkpw-pop3: vpopmail user not found .*@:<HOST>..$
vchkpw-smtp: vpopmail user not found .*@.*:<HOST>$
vchkpw-smtp: vpopmail user not found .*@:<HOST>$
vchkpw-smtp: vpopmail user not found .*@.*:<HOST>..$
vchkpw-smtp: vpopmail user not found .*@:<HOST>..$
vchkpw-submission: vpopmail user not found .*@.*:<HOST>$
vchkpw-submission: vpopmail user not found .*@:<HOST>$
vchkpw-submission: vpopmail user not found .*@.*:<HOST>..$
vchkpw-submission: vpopmail user not found .*@:<HOST>..$
vchkpw-submission: password fail (pass: '.*') .*@.*:<HOST>$
vchkpw-smtp: null password given [^:]*:<HOST>
vchkpw-submission: null password given [^:]*:<HOST>
Kind regards,
Nori
On Wed, 3 Jun 2020 18:14:01 -0700
r...@mattei.org wrote:
> Nice work. I will take a look and try it out.
>
> > Il giorno 3 giu 2020, alle ore 17:52, Gary Bowling <g...@gbco.us> ha
> > scritto:
> >
> > ?
> >
> >
> > It seems to work. I'm also using the /etc/fail2ban/filter.d/dovecot.conf
> > that is included with fail2ban. That should catch attempts on imap and
> > pop3, but I've never had it actually trap anything. So I'm guessing there
> > is something not quite right about it.
> >
> >
> >
> > If you have something there that actually works, let me know.
> >
> >
> >
> > Seems like most of the hacking on my server is trying to find smtp relays,
> > so maybe it's not a problem. Manually looking through the dovecot logs I
> > don't see a ton of attempts there. Nothing like the maillog where there
> > seems to be an endless list of bots hacking away.
> >
> >
> >
> > Gary
> >
> >
> >
> >> On 6/3/2020 8:37 PM, Eric Broch wrote:
> >> Nice, easier than mine.
> >>
> >> On 6/3/2020 6:27 PM, Gary Bowling wrote:
> >>>
> >>> Sure, here's my /etc/fail2ban/filter.d/vpopmail.conf
> >>>
> >>> [INCLUDES]
> >>> before = common.conf
> >>>
> >>> # vi /etc/fail2ban/filter.d/vpopmail.conf:
> >>>
> >>> [Definition]
> >>> failregex = vchkpw-smtp: vpopmail user not found .*:<HOST>$
> >>> vchkpw-submission: vpopmail user not found .*:<HOST>$
> >>> vchkpw-smtp: password fail .*:<HOST>$
> >>> vchkpw-submission: password fail .*:<HOST>$
> >>> ignoreregex =
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> In my jail.local, I have the following for my vpopmail config.
> >>>
> >>>
> >>>
> >>> [vpopmail]
> >>> enabled = true
> >>> filter = vpopmail
> >>> port = pop3,pop3s,imap,imaps,submission,465
> >>> logpath = /var/log/maillog
> >>> maxretry = 4
> >>> findtime = 86400 ; 1 day
> >>> bantime = 10800 ; 3 hours
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> On 6/3/2020 7:53 PM, Eric Broch wrote:
> >>>> can you share your vpopmail rules for fail2ban, config and regex?
> >>>>
> >>>> On 6/3/2020 5:48 PM, Gary Bowling wrote:
> >>>>>
> >>>>> FYI in case someone else can use this info.
> >>>>>
> >>>>> In my recent review of my server and trying to tighten up security. I
> >>>>> noticed that there were a number of IPs that showed up regularly in my
> >>>>> fail2ban firewall rules. I have a fail2ban jail for vpopmail that looks
> >>>>> at failed login attempts and blocks their IP addresses in iptables.
> >>>>>
> >>>>>
> >>>>>
> >>>>> One IP address in particular would attack my server, get banned by
> >>>>> fail2ban, and when the bantime was up, the same IP would start
> >>>>> attacking again, and the loop would continue.
> >>>>>
> >>>>>
> >>>>>
> >>>>> In order to try to do something about these bots, I first looked at the
> >>>>> "recidive" jail that is included with more recent versions of fail2ban.
> >>>>>
> >>>>>
> >>>>>
> >>>>> The recidive jail was created just for this problem. However recidive
> >>>>> just adds an additional jail time for a repeat offender. So, for
> >>>>> instance a 4 hour jail time might get increased to 1 week. But after a
> >>>>> week it starts over.
> >>>>>
> >>>>>
> >>>>>
> >>>>> In searching I found this article, which describes what I think is a
> >>>>> better approach to the issue.
> >>>>>
> >>>>> https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/
> >>>>>
> >>>>>
> >>>>>
> >>>>> This article describes how to build a series of increased jail times
> >>>>> for a habitual offender. Eventually culminating in a year jail time.
> >>>>>
> >>>>>
> >>>>>
> >>>>> Thanks, Gary
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> ____________________
> >>>>> Gary Bowling
> >>>>> The Moderns on Spotify
> >>>>> ____________________
> >>>>> ---------------------------------------------------------------------
> >>>>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> >>>>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
> >>> --------------------------------------------------------------------- To
> >>> unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For
> >>> additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
> > --------------------------------------------------------------------- To
> > unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For
> > additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
Telecommunications Association License No. A-18-9191
Government Resell License No. 301039703002
WATS CO.,LTD.
Kawana Bldg, 5F Kamata
Ota-ku Tokyo, 144-0052 JAPAN
Phone 81-50-5830-5940
Ext&Mobile:201 VoiceMailDirect:201*1
FAX 81-50-5830-5941
http://wats.gr.jp
Mail: wats @ wats.gr.jp
Please remove the space between @ as double side
Key fingerprint = B53D FF2F BFEA FDA8 1439 38AA 8281 9A3E C9B6 2FC9
/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
