David Guntner grabbed a keyboard and wrote: > David Guntner grabbed a keyboard and wrote: > [Lots of fail2ban stuff] > > Well, holy cow! That's what I get for starting a conversation. :-) I'm > not the type to just ask a question or answer replies and just sit there > waiting, I start mucking around and googling more and stuff. Just > discovered that fail2ban has *multiport* support for iptables - it can > be set up to filter chains control more than one port with a single > filter command. > > I further discovered that the Dovecot website itself has filter and jail > rules for fail2ban to work with its log entries. > > So yea, if I can set up a filter rule that says something along the > lines of "if you see this, block traffic for that IP address on the > following ports...", that will do the trick! Yay! :-) > > Now, if I can just figure out a way to get Dovecot to close the > connection when there's too many bad attempts.... I'll have to do some > more testing; maybe the fail2ban chain through iptables will close an > existing connection as was suggested might be the case in another reply.... > > Ooooh, the possibilities! :-D
Well, waa hoo! :-) Upon further testing, it seems that when fail2ban
decides you're gone and adds an iptables DROP for you, you drop. <grin>
I added the filter on the page I found for Dovecot & fail2ban that I
mentioned above, and then added an extra failregexp entry that looks for
the "auth-worker(default)" log entry, and presto - after I put in a few
bad attempts, fail2ban kicked in and all of a sudden I found myself
kicked out. Success! :-)
Thanks again to those who helped out!
--Dave
signature.asc
Description: OpenPGP digital signature
