I've discovered new type of attack on Dovecot!

Discussion in 'Installation/Configuration' started by concept21, Jun 7, 2023.

  1. concept21

    concept21 Active Member HowtoForge Supporter

    I have discovered many these attacks on dovecot in /var/log/mail.err
    How do we ban this new type of attack? :mad:
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Is it a new type of attack?
    I use fail2ban and to ban those attacks have added to jail.local:
    Code:
    [dovecot]
    enabled = true
    
     
    ahrasis likes this.
  3. concept21

    concept21 Active Member HowtoForge Supporter

    There is no ban rule for this new type of attack!
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Why do you think that this is a new type of attack? According to your log, it seems that there is just a bot trying out username/password combinations.
     
  5. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    There is on my host, it came with fail2ban. I verified again just now, and it does ban IP-addresses guessing passwords in dovecot.
    If you read the dovecot jail definition in fail2ban, you see it has regular expression that matches the log line you showed in #1.
    Edit:
    I noticed you never wrote what OS you are using on that host. I have Debian GNU/Linux 10 and there fail2ban does ban those attempts.
     
  6. concept21

    concept21 Active Member HowtoForge Supporter

    My OS is Ubuntu 20.04.
    Because the log in the question is /var/log/mail.err while ISPConfig fail2ban default log of dovecot is /var/log/mail.log

    So we have to add /var/log/mail.err to some where else in fail2ban jail.local
     
  7. concept21

    concept21 Active Member HowtoForge Supporter

    ok! just add one more log path under
    [dovecot]
    logpath = /var/log/mail.err
    :p
     
    ahrasis likes this.

Share This Page