Hi What about below?
[Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. # Values: TEXT # failregex = vchkpw-pop3: vpopmail user not found .*@.*:<HOST>$ vchkpw-pop3: vpopmail user not found .*@:<HOST>$ vchkpw-pop3: vpopmail user not found .*@.*:<HOST>..$ vchkpw-pop3: vpopmail user not found .*@:<HOST>..$ vchkpw-smtp: vpopmail user not found .*@.*:<HOST>$ vchkpw-smtp: vpopmail user not found .*@:<HOST>$ vchkpw-smtp: vpopmail user not found .*@.*:<HOST>..$ vchkpw-smtp: vpopmail user not found .*@:<HOST>..$ vchkpw-submission: vpopmail user not found .*@.*:<HOST>$ vchkpw-submission: vpopmail user not found .*@:<HOST>$ vchkpw-submission: vpopmail user not found .*@.*:<HOST>..$ vchkpw-submission: vpopmail user not found .*@:<HOST>..$ vchkpw-submission: password fail (pass: '.*') .*@.*:<HOST>$ vchkpw-smtp: null password given [^:]*:<HOST> vchkpw-submission: null password given [^:]*:<HOST> Kind regards, Nori On Wed, 3 Jun 2020 18:14:01 -0700 r...@mattei.org wrote: > Nice work. I will take a look and try it out. > > > Il giorno 3 giu 2020, alle ore 17:52, Gary Bowling <g...@gbco.us> ha > > scritto: > > > > ? > > > > > > It seems to work. I'm also using the /etc/fail2ban/filter.d/dovecot.conf > > that is included with fail2ban. That should catch attempts on imap and > > pop3, but I've never had it actually trap anything. So I'm guessing there > > is something not quite right about it. > > > > > > > > If you have something there that actually works, let me know. > > > > > > > > Seems like most of the hacking on my server is trying to find smtp relays, > > so maybe it's not a problem. Manually looking through the dovecot logs I > > don't see a ton of attempts there. Nothing like the maillog where there > > seems to be an endless list of bots hacking away. > > > > > > > > Gary > > > > > > > >> On 6/3/2020 8:37 PM, Eric Broch wrote: > >> Nice, easier than mine. > >> > >> On 6/3/2020 6:27 PM, Gary Bowling wrote: > >>> > >>> Sure, here's my /etc/fail2ban/filter.d/vpopmail.conf > >>> > >>> [INCLUDES] > >>> before = common.conf > >>> > >>> # vi /etc/fail2ban/filter.d/vpopmail.conf: > >>> > >>> [Definition] > >>> failregex = vchkpw-smtp: vpopmail user not found .*:<HOST>$ > >>> vchkpw-submission: vpopmail user not found .*:<HOST>$ > >>> vchkpw-smtp: password fail .*:<HOST>$ > >>> vchkpw-submission: password fail .*:<HOST>$ > >>> ignoreregex = > >>> > >>> > >>> > >>> > >>> > >>> In my jail.local, I have the following for my vpopmail config. > >>> > >>> > >>> > >>> [vpopmail] > >>> enabled = true > >>> filter = vpopmail > >>> port = pop3,pop3s,imap,imaps,submission,465 > >>> logpath = /var/log/maillog > >>> maxretry = 4 > >>> findtime = 86400 ; 1 day > >>> bantime = 10800 ; 3 hours > >>> > >>> > >>> > >>> > >>> > >>> On 6/3/2020 7:53 PM, Eric Broch wrote: > >>>> can you share your vpopmail rules for fail2ban, config and regex? > >>>> > >>>> On 6/3/2020 5:48 PM, Gary Bowling wrote: > >>>>> > >>>>> FYI in case someone else can use this info. > >>>>> > >>>>> In my recent review of my server and trying to tighten up security. I > >>>>> noticed that there were a number of IPs that showed up regularly in my > >>>>> fail2ban firewall rules. I have a fail2ban jail for vpopmail that looks > >>>>> at failed login attempts and blocks their IP addresses in iptables. > >>>>> > >>>>> > >>>>> > >>>>> One IP address in particular would attack my server, get banned by > >>>>> fail2ban, and when the bantime was up, the same IP would start > >>>>> attacking again, and the loop would continue. > >>>>> > >>>>> > >>>>> > >>>>> In order to try to do something about these bots, I first looked at the > >>>>> "recidive" jail that is included with more recent versions of fail2ban. > >>>>> > >>>>> > >>>>> > >>>>> The recidive jail was created just for this problem. However recidive > >>>>> just adds an additional jail time for a repeat offender. So, for > >>>>> instance a 4 hour jail time might get increased to 1 week. But after a > >>>>> week it starts over. > >>>>> > >>>>> > >>>>> > >>>>> In searching I found this article, which describes what I think is a > >>>>> better approach to the issue. > >>>>> > >>>>> https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/ > >>>>> > >>>>> > >>>>> > >>>>> This article describes how to build a series of increased jail times > >>>>> for a habitual offender. Eventually culminating in a year jail time. > >>>>> > >>>>> > >>>>> > >>>>> Thanks, Gary > >>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> ____________________ > >>>>> Gary Bowling > >>>>> The Moderns on Spotify > >>>>> ____________________ > >>>>> --------------------------------------------------------------------- > >>>>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > >>>>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > >>> --------------------------------------------------------------------- To > >>> unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For > >>> additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > > --------------------------------------------------------------------- To > > unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For > > additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com /_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Telecommunications Association License No. A-18-9191 Government Resell License No. 301039703002 WATS CO.,LTD. Kawana Bldg, 5F Kamata Ota-ku Tokyo, 144-0052 JAPAN Phone 81-50-5830-5940 Ext&Mobile:201 VoiceMailDirect:201*1 FAX 81-50-5830-5941 http://wats.gr.jp Mail: wats @ wats.gr.jp Please remove the space between @ as double side Key fingerprint = B53D FF2F BFEA FDA8 1439 38AA 8281 9A3E C9B6 2FC9 /_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ --------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com