Fail2ban configuration example for dovecot(POP/IMAP) and postfix(SMTP).

This example uses centos 5.x and logs security events to /var/log/secure and mail related events to /var/log/maillog

Daemons used are dovecot for POP3/IMAP and postfix for SMTP.

Assuming you have fail2ban installed and running, so iptables.

Firstly add to /etc/fail2ban/jail.conf:

jail.conf

[ sasl-iptables ] enabled = true filter = sasl backend = polling action = iptables[ name=sasl , port=smtp , protocol=tcp ] sendmail-whois[ name=sasl , dest=admin@ourdomain.com ] logpath = / var /log/maillog bantime = 36000 maxretry = 2 [ dovecot-secure ] enabled = true filter = dovecot-secure action = iptables-multiport[ name=dovecot , port= " smtp , pop3 , imap " , protocol=tcp ] sendmail-whois[ name=Dovecot-Secure , dest=admin@ourdomain.com ] logpath = / var /log/secure maxretry = 2 findtime = 600 bantime = 36000 ignoreip = 192.168 . 0.0 / 16 127.0 . 0.1 [ dovecot-maillog ] enabled = true filter = dovecot-maillog action = iptables-multiport[ name=dovecot-maillog , port= " smtp , pop3 , imap " , protocol=tcp ] sendmail-whois[ name=Dovecot-Maillog , dest=admin@ourdomain.com ] logpath = / var /log/maillog maxretry = 2 findtime = 600 bantime = 36000 ignoreip = 192.168 . 0.0 / 16 127.0 . 0.1 [ postfix ] enabled = true filter = postfix action = iptables-multiport[ name=postfix , port= " smtp , pop3 , imap " , protocol=tcp ] sendmail-whois[ name=Postfix , dest=admin@ourdomain.com ] logpath = / var /log/maillog maxretry = 2 findtime = 600 bantime = 36000 ignoreip = 192.168 . 0.0 / 16 127.0 . 0.1

Also you have to create the necessary filter rule files under /etc/fail2ban/filter.d

dovecot-maillog.conf

[ Definition ] # to test set up use this # / usr / bin / fail2ban - regex / var / log / maillog / etc / fail2ban / filter . d / dovecot . conf failregex = (?: Authentication failure | Aborted login | Disconnected ).* rip =(?::: f {4,6} : )?(? P < host >\ S *),.* ignoreregex = (?: Disconnected : Logged out ).* failregex = pam .* dovecot .*(?: authentication failure ).* rhost =(?::: f {4,6} : )?(? P < host >\ S *)

dovecot-secure.conf

[ Definition ] # to test set up use this # / usr / bin / fail2ban - regex / var / log / secure / etc / fail2ban / filter . d / dovecot . conf failregex = (?: authentication failure ).* rhost =(?::: f {4,6} : )?(? P < host >\ S *) failregex = pam .* dovecot .*(?: authentication failure ).* rhost =(?::: f {4,6} : )?(? P < host >\ S *) ignoreregex =

dovecot-sasl.conf

# Fail2Ban configuration file # # Author : Yaroslav Halchenko # # $Revision : 728 $ # [ Definition ] # Option : failregex # Notes . : regex to match the password failures messages in the logfile. The # host must be matched by a group named "host" . The tag "<HOST>" can # be used for standard IP / hostname matching and is only an alias for # (?::: f {4,6} : )?(? P < host >[ \w\-.^ _ ]+) # Values : TEXT # # failregex = (? i ) : warning: [ -. _ \w ]+\[ <HOST>\ ] : SASL ( ?:LOGIN|PLAIN| ( ?:CRAM|DIGEST ) -MD5 ) authentication failed ( : [ A-Za-z0- 9 +/ ] *= { 0 , 2 })? $ failregex = \[ <HOST>\ ] : SASL login authentication failed failregex = \[ <HOST>\ ] : SASL PLAIN authentication failed: authentication failure failregex = \[ <HOST>\ ] : SASL LOGIN authentication failed: authentication failure # Option : ignoreregex # Notes . : regex to ignore. If this regex matches , the line is ignored . # Values : TEXT # ignoreregex =

dovecot-postfix.conf

# Fail2Ban configuration file # # Author : Cyril Jaquier # # $Revision : 728 $ # [ Definition ] # Option : failregex # Notes . : regex to match the password failures messages in the logfile. The # host must be matched by a group named "host" . The tag "<HOST>" can # be used for standard IP / hostname matching and is only an alias for # (?::: f {4,6} : )?(? P < host >[ \w\-.^ _ ]+) # Values : TEXT # # failregex = reject : RCPT from ( .* ) \ [ <HOST>\ ] : 554 failregex = reject : RCPT from ( .* ) \ [ <HOST>\ ] : 550 5 . 1 . 1 reject: RCPT from ( .* ) \ [ <HOST>\ ] : 554 5 . 7 . 1 # Option: ignoreregex # Notes . : regex to ignore. If this regex matches , the line is ignored . # Values : TEXT # ignoreregex =

Fire fail2ban service and you are good to go :)