If you are using chkuser the user not found should never get pass the initial smtp. Remo
> On Jun 3, 2020, at 22:34, Noriyuki Hayashi <nhaya...@wats.gr.jp> wrote: > > Hi > > What about below? > > [Definition] > > # Option: failregex > # Notes.: regex to match the password failures messages in the logfile. > # Values: TEXT > # > failregex = vchkpw-pop3: vpopmail user not found .*@.*:<HOST>$ > vchkpw-pop3: vpopmail user not found .*@:<HOST>$ > vchkpw-pop3: vpopmail user not found .*@.*:<HOST>..$ > vchkpw-pop3: vpopmail user not found .*@:<HOST>..$ > vchkpw-smtp: vpopmail user not found .*@.*:<HOST>$ > vchkpw-smtp: vpopmail user not found .*@:<HOST>$ > vchkpw-smtp: vpopmail user not found .*@.*:<HOST>..$ > vchkpw-smtp: vpopmail user not found .*@:<HOST>..$ > vchkpw-submission: vpopmail user not found .*@.*:<HOST>$ > vchkpw-submission: vpopmail user not found .*@:<HOST>$ > vchkpw-submission: vpopmail user not found .*@.*:<HOST>..$ > vchkpw-submission: vpopmail user not found .*@:<HOST>..$ > vchkpw-submission: password fail (pass: '.*') .*@.*:<HOST>$ > vchkpw-smtp: null password given [^:]*:<HOST> > vchkpw-submission: null password given [^:]*:<HOST> > > > Kind regards, > Nori > > > On Wed, 3 Jun 2020 18:14:01 -0700 > r...@mattei.org wrote: > >> Nice work. I will take a look and try it out. >> >>> Il giorno 3 giu 2020, alle ore 17:52, Gary Bowling <g...@gbco.us> ha >>> scritto: >>> >>> ? >>> >>> >>> It seems to work. I'm also using the /etc/fail2ban/filter.d/dovecot.conf >>> that is included with fail2ban. That should catch attempts on imap and >>> pop3, but I've never had it actually trap anything. So I'm guessing there >>> is something not quite right about it. >>> >>> >>> >>> If you have something there that actually works, let me know. >>> >>> >>> >>> Seems like most of the hacking on my server is trying to find smtp relays, >>> so maybe it's not a problem. Manually looking through the dovecot logs I >>> don't see a ton of attempts there. Nothing like the maillog where there >>> seems to be an endless list of bots hacking away. >>> >>> >>> >>> Gary >>> >>> >>> >>>> On 6/3/2020 8:37 PM, Eric Broch wrote: >>>> Nice, easier than mine. >>>> >>>> On 6/3/2020 6:27 PM, Gary Bowling wrote: >>>>> >>>>> Sure, here's my /etc/fail2ban/filter.d/vpopmail.conf >>>>> >>>>> [INCLUDES] >>>>> before = common.conf >>>>> >>>>> # vi /etc/fail2ban/filter.d/vpopmail.conf: >>>>> >>>>> [Definition] >>>>> failregex = vchkpw-smtp: vpopmail user not found .*:<HOST>$ >>>>> vchkpw-submission: vpopmail user not found .*:<HOST>$ >>>>> vchkpw-smtp: password fail .*:<HOST>$ >>>>> vchkpw-submission: password fail .*:<HOST>$ >>>>> ignoreregex = >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> In my jail.local, I have the following for my vpopmail config. >>>>> >>>>> >>>>> >>>>> [vpopmail] >>>>> enabled = true >>>>> filter = vpopmail >>>>> port = pop3,pop3s,imap,imaps,submission,465 >>>>> logpath = /var/log/maillog >>>>> maxretry = 4 >>>>> findtime = 86400 ; 1 day >>>>> bantime = 10800 ; 3 hours >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On 6/3/2020 7:53 PM, Eric Broch wrote: >>>>>> can you share your vpopmail rules for fail2ban, config and regex? >>>>>> >>>>>> On 6/3/2020 5:48 PM, Gary Bowling wrote: >>>>>>> >>>>>>> FYI in case someone else can use this info. >>>>>>> >>>>>>> In my recent review of my server and trying to tighten up security. I >>>>>>> noticed that there were a number of IPs that showed up regularly in my >>>>>>> fail2ban firewall rules. I have a fail2ban jail for vpopmail that looks >>>>>>> at failed login attempts and blocks their IP addresses in iptables. >>>>>>> >>>>>>> >>>>>>> >>>>>>> One IP address in particular would attack my server, get banned by >>>>>>> fail2ban, and when the bantime was up, the same IP would start >>>>>>> attacking again, and the loop would continue. >>>>>>> >>>>>>> >>>>>>> >>>>>>> In order to try to do something about these bots, I first looked at the >>>>>>> "recidive" jail that is included with more recent versions of fail2ban. >>>>>>> >>>>>>> >>>>>>> >>>>>>> The recidive jail was created just for this problem. However recidive >>>>>>> just adds an additional jail time for a repeat offender. So, for >>>>>>> instance a 4 hour jail time might get increased to 1 week. But after a >>>>>>> week it starts over. >>>>>>> >>>>>>> >>>>>>> >>>>>>> In searching I found this article, which describes what I think is a >>>>>>> better approach to the issue. >>>>>>> >>>>>>> https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/ >>>>>>> >>>>>>> >>>>>>> >>>>>>> This article describes how to build a series of increased jail times >>>>>>> for a habitual offender. Eventually culminating in a year jail time. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Thanks, Gary >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> ____________________ >>>>>>> Gary Bowling >>>>>>> The Moderns on Spotify >>>>>>> ____________________ >>>>>>> --------------------------------------------------------------------- >>>>>>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com >>>>>>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com >>>>> --------------------------------------------------------------------- To >>>>> unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For >>>>> additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com >>> --------------------------------------------------------------------- To >>> unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For >>> additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > > /_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ > > Telecommunications Association License No. A-18-9191 > Government Resell License No. 301039703002 > WATS CO.,LTD. > Kawana Bldg, 5F Kamata > Ota-ku Tokyo, 144-0052 JAPAN > Phone 81-50-5830-5940 > Ext&Mobile:201 VoiceMailDirect:201*1 > FAX 81-50-5830-5941 > http://wats.gr.jp > Mail: wats @ wats.gr.jp > Please remove the space between @ as double side > > Key fingerprint = B53D FF2F BFEA FDA8 1439 38AA 8281 9A3E C9B6 2FC9 > > /_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > --------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com