If you are using chkuser the user not found should never get pass the initial 
smtp. 
Remo

> On Jun 3, 2020, at 22:34, Noriyuki Hayashi <nhaya...@wats.gr.jp> wrote:
> 
> Hi
> 
> What about below?
> 
> [Definition]
> 
> # Option: failregex
> # Notes.: regex to match the password failures messages in the logfile.
> # Values: TEXT
> #
> failregex = vchkpw-pop3: vpopmail user not found .*@.*:<HOST>$
>            vchkpw-pop3: vpopmail user not found .*@:<HOST>$
>            vchkpw-pop3: vpopmail user not found .*@.*:<HOST>..$
>            vchkpw-pop3: vpopmail user not found .*@:<HOST>..$
>            vchkpw-smtp: vpopmail user not found .*@.*:<HOST>$
>            vchkpw-smtp: vpopmail user not found .*@:<HOST>$
>            vchkpw-smtp: vpopmail user not found .*@.*:<HOST>..$
>            vchkpw-smtp: vpopmail user not found .*@:<HOST>..$
>            vchkpw-submission: vpopmail user not found .*@.*:<HOST>$
>            vchkpw-submission: vpopmail user not found .*@:<HOST>$
>            vchkpw-submission: vpopmail user not found .*@.*:<HOST>..$
>            vchkpw-submission: vpopmail user not found .*@:<HOST>..$
>            vchkpw-submission: password fail (pass: '.*') .*@.*:<HOST>$
>            vchkpw-smtp: null password given [^:]*:<HOST>
>            vchkpw-submission: null password given [^:]*:<HOST>
> 
> 
> Kind regards,
> Nori
> 
> 
> On Wed, 3 Jun 2020 18:14:01 -0700
> r...@mattei.org wrote:
> 
>> Nice work. I will take a look and try it out. 
>> 
>>> Il giorno 3 giu 2020, alle ore 17:52, Gary Bowling <g...@gbco.us> ha 
>>> scritto:
>>> 
>>> ?
>>> 
>>> 
>>> It seems to work. I'm also using the /etc/fail2ban/filter.d/dovecot.conf 
>>> that is included with fail2ban. That should catch attempts on imap and 
>>> pop3, but I've never had it actually trap anything. So I'm guessing there 
>>> is something not quite right about it.
>>> 
>>> 
>>> 
>>> If you have something there that actually works, let me know.
>>> 
>>> 
>>> 
>>> Seems like most of the hacking on my server is trying to find smtp relays, 
>>> so maybe it's not a problem. Manually looking through the dovecot logs I 
>>> don't see a ton of attempts there. Nothing like the maillog where there 
>>> seems to be an endless list of bots hacking away. 
>>> 
>>> 
>>> 
>>> Gary
>>> 
>>> 
>>> 
>>>> On 6/3/2020 8:37 PM, Eric Broch wrote:
>>>> Nice, easier than mine.
>>>> 
>>>> On 6/3/2020 6:27 PM, Gary Bowling wrote:
>>>>> 
>>>>> Sure, here's my /etc/fail2ban/filter.d/vpopmail.conf
>>>>> 
>>>>> [INCLUDES]
>>>>> before = common.conf
>>>>> 
>>>>> # vi /etc/fail2ban/filter.d/vpopmail.conf:
>>>>> 
>>>>> [Definition]
>>>>> failregex = vchkpw-smtp: vpopmail user not found .*:<HOST>$
>>>>>            vchkpw-submission: vpopmail user not found .*:<HOST>$
>>>>>            vchkpw-smtp: password fail .*:<HOST>$
>>>>>            vchkpw-submission: password fail .*:<HOST>$
>>>>> ignoreregex =
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> In my jail.local, I have the following for my vpopmail config. 
>>>>> 
>>>>> 
>>>>> 
>>>>> [vpopmail]
>>>>> enabled = true
>>>>> filter = vpopmail
>>>>> port    = pop3,pop3s,imap,imaps,submission,465
>>>>> logpath = /var/log/maillog
>>>>> maxretry = 4
>>>>> findtime = 86400 ; 1 day
>>>>> bantime = 10800 ; 3 hours
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> On 6/3/2020 7:53 PM, Eric Broch wrote:
>>>>>> can you share your vpopmail rules for fail2ban, config and regex?
>>>>>> 
>>>>>> On 6/3/2020 5:48 PM, Gary Bowling wrote:
>>>>>>> 
>>>>>>> FYI in case someone else can use this info. 
>>>>>>> 
>>>>>>> In my recent review of my server and trying to tighten up security. I 
>>>>>>> noticed that there were a number of IPs that showed up regularly in my 
>>>>>>> fail2ban firewall rules. I have a fail2ban jail for vpopmail that looks 
>>>>>>> at failed login attempts and blocks their IP addresses in iptables. 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> One IP address in particular would attack my server, get banned by 
>>>>>>> fail2ban, and when the bantime was up, the same IP  would start 
>>>>>>> attacking again, and the loop would continue. 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> In order to try to do something about these bots, I first looked at the 
>>>>>>> "recidive" jail that is included with more recent versions of fail2ban. 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> The recidive jail was created just for this problem. However recidive 
>>>>>>> just adds an additional jail time for a repeat offender. So, for 
>>>>>>> instance a 4 hour jail time might get increased to 1 week. But after a 
>>>>>>> week it starts over.
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> In searching I found this article, which describes what I think is a 
>>>>>>> better approach to the issue. 
>>>>>>> 
>>>>>>> https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> This article describes how to build a series of increased jail times 
>>>>>>> for a habitual offender. Eventually culminating in a year jail time.
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> Thanks, Gary 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> -- 
>>>>>>> ____________________
>>>>>>> Gary Bowling
>>>>>>> The Moderns on Spotify 
>>>>>>> ____________________
>>>>>>> --------------------------------------------------------------------- 
>>>>>>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
>>>>>>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>>>>> --------------------------------------------------------------------- To 
>>>>> unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For 
>>>>> additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>>> --------------------------------------------------------------------- To 
>>> unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For 
>>> additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
> 
> /_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
> 
> Telecommunications Association License No. A-18-9191
> Government Resell  License No. 301039703002
>              WATS CO.,LTD.   
>  Kawana Bldg, 5F  Kamata
> Ota-ku Tokyo, 144-0052 JAPAN
>       Phone 81-50-5830-5940 
>       Ext&Mobile:201 VoiceMailDirect:201*1
>       FAX   81-50-5830-5941
>            http://wats.gr.jp
>          Mail: wats @ wats.gr.jp
> Please remove the space between @ as double side
> 
> Key fingerprint = B53D FF2F BFEA FDA8 1439  38AA 8281 9A3E C9B6 2FC9
> 
> /_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Reply via email to