Fail2Ban for Dovecot Revision as of Monday, 21 December 2015 at 02:30 UTC

Installation

   yum install fail2ban
   chkconfig fail2ban on

Configuration

Now add this to /etc/fail2ban/jail.conf. Change the sender email.

   [dovecot]
   enabled  = true
   filter   = dovecot
   action   = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
              sendmail-whois[name=dovecot, dest=root, sender=fail2ban@example.com]
   logpath  = /var/log/maillog
   maxretry = 10
   findtime = 1200
   bantime  = -10

See the
manual
for an explanation of the options. In this configuration, anyone
attempting to authenticate unsuccessfully 10 times will be banned
permanently.

Fail2Ban will try looking for a configuration/filter file called
“dovecot.conf” in the filters directory, /etc/fail2ban/filters.d.
Create it and add this if it doesn’t exist for some reason:

   [Definition]
   failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P\S*),.*
   ignoreregex =

Testing

Fail2Ban comes with a handy-dandy regex testing tool.

   fail2ban-regex /vaar/log/maillog /etc/fail2ban/filter.d/dovecot.conf

You should issue iptables -L to verify that there’s a Fail2Ban chain.
Now telnet to the POP3 port from another machine and try logging in
with some junk.

   Trying 198.81.129.107...
   Connected to example.com (198.81.129.107).
   Escape character is '^]'.
   +OK Hello. Please be nice.
   user hahahaha
   -ERR Plaintext authentication disallowed on non-secure (SSL/TLS) connections.

You’ll see a bunch of these in /var/log/maillog:

   Sep 17 15:05:14 user dovecot: pop3-login: Aborted login (tried to use disabled plaintext auth): rip=72.21.81.85, lip=198.81.129.107

When you see 10 of them, wait a bit. You’ll see an email from Fail2Ban
informing you that it’s blocked an IP. To verify, issue
iptables -L -n. You’ll see this somewhere:

   Chain fail2ban-dovecot (1 references)
   target     prot opt source               destination
   DROP       all  --  72.21.81.85        0.0.0.0/0

Nice. To unban, just remove the rule from the chain:

   iptables -D fail2ban-dovecot -s 72.21.81.85 -j DROP

Using the Service

   service fail2ban start

Check its status

   [root@example ~]# service fail2ban status
   Fail2ban (pid 15919) is running...
   Status
   |- Number of jail:  1
   `- Jail list:       dovecot

You should have gotten an email from the service with the subject
“[Fail2Ban] dovecot: started”. Check /var/log/messages for
banned IPs