Hi,
got it working finally...
If you have already got fail2ban running then try these settings.
They finally stopped my issues after 13 hours and blocking hundreds
of unique ip's.
This is a variation on a set of files I found by searching on the web.
I would attribute them if I knew who wrote them.
Edit fail2ban's jail.local in the /etc/fail2ban directory.
Insert this exactly.
[qmail-vpopmail-imap-pw-fail]
enabled = true
filter = qmail-vpopmail-imap-pw-fail
action = iptables-multiport[name=IMAP, port="143,585,993", protocol=tcp]
logpath = /var/log/qmail/imap4/current
maxretry = 1
bantime = 864000
findtime = 3600
create a file called qmail-vpopmail-imap-pw-fail.conf and insert this text
# Fail2Ban configuration file
#
[Definition]
#Looks for failed logins into IMAP
failregex = ^.* INFO\: LOGIN FAILED, user\=.*\, ip\=\[<HOST>\]
ignoreregex =
After editing restart fail2ban or reboot, up to you.
Then tail the imap log to see the logins slow down over the next few hours.
If you need more please contact me off list.
I also have changes to the pop3 run file to record the login details.
Hope this helps.
best wishes
Tony White
http://acrosstechnology.com.au
4a Birmingham Road
Mount Evelyn
Victoria
Australia 3796
Telephone No's
VIC : 0481 362 743
Please note: YCS records all calls to better serve you.
IMPORTANT NOTICE
This communication including any file attachments is intended solely for
the use of the individual or entity to whom it is addressed. If you are
not the intended recipient, or the person responsible for delivering
this communication to the intended recipient, please immediately notify
the sender by email and delete the original transmission and its
contents. Any unauthorised use, dissemination, forwarding, printing or
copying of this communication including file attachments is prohibited.
It is your responsibility to scan this communication including any file
attachments for viruses and other defects. To the extent permitted by
law, Yea Computing Services and its associates will not be liable for
any loss or damage arising in any way from this communication including
any file attachments.
You may not disclose this information to a third party without written
permission from the Author.
On 17/10/19 6:43 pm, ChandranManikandan wrote:
Hi Friends,
I am also facing the same problem and i had running IPtables and fail2ban.
but still issue was there.
Can i run csf also on top of that.
Am running centos 6 servers.
Appreciate your hep.
On Sun, Oct 13, 2019 at 10:12 PM Tony White <t...@ycs.com.au> wrote:
Hi,
Correct again but it seems the regex is at fault.
The regex generates no results for courierlogin
nor couriersmtp.
Trying to build a regex for these but it is not my first
language...
best wishes
Tony White
On 14/10/19 12:19 am, Solo wrote:
Hi Tony.
What log do You expect entries in ? fail2ban.log ?
Make sure the regex in the filter.d/*.conf file You use matches the
entries in the log file(s) it monitors
A good idea is to test the *.conf file using :
fail2ban-regex "path to the log to monitor" "path to the fail2ban
filter"
like : fail2ban-regex /var/log/qmail/submission/current
/etc/fail2ban/filter.d/submission.conf
Hope this helps
Cheers
Finn
Den 13-10-2019 kl. 14:07 skrev Tony White:
Hi,
Well I have enabled the two in the filter.d directory you mentioned
restarted/reloaded fail2ban and no change. Still no entries in the
log file.
best wishes
Tony White
On 13/10/19 7:36 pm, Solo wrote:
Hi Tony.
Have You tried fail2ban ?
Cheers
Finn
Den 13-10-2019 kl. 05:01 skrev Tony White:
Hi folks,
Sorry to disturb but I have been trying to fix this for two days
now.
My iMap server is methodically (brute force) attacked over many many
ips.
I have written scripts to auto block the ips but they only try twice
for two
different names then us a different ip!.
Has anyone encountered this before and did you find a resolution for
it?
Can I add an entry in the run scrip for a LOGIN FAILED to block the ip
first time it connects?
TIA :)
FYI the email addresses are not even remotely valid but it is
frustrating.
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
