thanx john
----- Original Message ----
From: John Lundin lundin@fini.net
john, could u share your rules for the dovecot attempts?t
Since no one else has stepped up... here's dovecot and vsftpd.
These worked for me, ymmv. Centos 5 with rpmforge. Folded, failregex should be a single line with a space between ":" and "authentication".
/etc/fail2ban/filter.d/dovecot.conf
[Definition] failregex = dovecot-auth: pam_unix(dovecot:auth): authentication failure; .* rhost=(?:\s+user=\S*)?\s*$ ignoreregex =
/etc/fail2ban/filter.d/vsftpd.conf
[Definition] failregex = vsftpd: pam_unix(vsftpd:auth): authentication failure; .* rhost=(?:\s+user=\S*)?\s*$ ignoreregex =
And changes to /etc/fail2ban/jail.conf. (Note that you also want to change the sendmail actions to use valid email addresses...)
diff --git a/jail.conf b/jail.conf index b74320f..a726947 100644 --- a/jail.conf +++ b/jail.conf @@ -113,7 +113,7 @@ bantime = 300 enabled = false filter = vsftpd action = sendmail-whois[name=VSFTPD, dest=you@mail.com] -logpath = /var/log/vsftpd.log +logpath = /var/log/secure maxretry = 5 bantime = 1800
@@ -121,11 +121,11 @@ bantime = 1800
[vsftpd-iptables]
-enabled = false +enabled = true filter = vsftpd action = iptables[name=VSFTPD, port=ftp, protocol=tcp] sendmail-whois[name=VSFTPD, dest=you@mail.com] -logpath = /var/log/vsftpd.log +logpath = /var/log/secure maxretry = 5 bantime = 1800
@@ -203,3 +203,25 @@ action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] logpath = /var/log/named/security.log ignoreip = 168.192.0.1
+[dovecot-notification]
+enabled = false +filter = dovecot +action = sendmail-whois[name=Dovecot, dest=you@mail.com] +logpath = /var/log/secure +maxretry = 5 +bantime = 1800
+# Same as above but with banning the IP address.
+[dovecot-iptables]
+enabled = true +filter = dovecot +action = iptables-multiport[name=Dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
sendmail-whois[name=Dovecot, dest=you@mail.com]+logpath = /var/log/secure +maxretry = 5 +bantime = 1800 +#ignoreip = 168.192.0.1
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos