Has anyone made a fail2ban filter configuration to block random attempts on POP3 (and SMTP) for kerio mailserver? Fail2ban would be great to block these attempts in the kerio warning log: Code: [20/Dec/2009 16:35:59] POP3: User user<_at_>example doesn't exist. Attempt from IP address XXX.XXX.XX.XX and Code: [22/Nov/2009 00:05:01] POP3: Invalid password for user user<_at_>example. Attempt from IP address XXX.XXX.XX.XX Fail2ban works great with the standard filters included in the package, but I can't find a working config for kerio unfortunately ... Anyone managed to write a working filter config for fail2ban? Help would be really appreciated! Thanks, Tom.
You can try this as a regular expression for the filter: Code: failregex = POP3: Invalid password for user *. Attempt from IP address \[.*:<HOST>\]
Thanks for your suggestion Falko, But something is still not working, when I test the expression with fail2ban-regex, I get: --- login$ fail2ban-regex "POP3: User [email protected] doesn't exist. Attempt from IP address 10.0.0.233" "POP3: User *. doesn't exist. Attempt from IP address \[.*:<HOST>\]" Running tests ============= Use regex line : POP3: User *. doesn't exist. Attempt from IP addre... Use single line: POP3: User [email protected] doesn't exist. Atte... Results ======= Failregex |- Regular expressions: | [1] POP3: User *. doesn't exist. Attempt from IP address \[.*:<HOST>\] | `- Number of matches: [1] 0 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Sorry, no match Look at the above section 'Running tests' which could contain important information. --- I don't see why it returns no matches?! Any ideas? Thanks!
Maybe you need to remove the dot after the asterisk: Code: failregex = POP3: Invalid password for user * Attempt from IP address \[.*:<HOST>\]
I tried this, but still no matches ... This is the query: user# fail2ban-regex "POP3: Invalid password for user [email protected]. Attempt from IP address 10.0.0.31" "POP3: Invalid password for user * Attempt from IP address \[.*:<HOST>\]" This the result: Running tests ============= Use regex line : POP3: Invalid password for user * Attempt from IP ... Use single line: POP3: Invalid password for user [email protected]. ... Results ======= Failregex |- Regular expressions: | [1] POP3: Invalid password for user * Attempt from IP address \[.*:<HOST>\] | `- Number of matches: [1] 0 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Sorry, no match Look at the above section 'Running tests' which could contain important information. Why, why, why Thanks for any new insights! Tom
