pop3 problems

Discussion in 'Server Operation' started by asus, Apr 29, 2009.

  1. asus

    asus New Member

    ok my email server is getting hit really hard. and my fail2ban still spits out this error .

    Code:
    2009-04-26 06:45:55,346 fail2ban.comm   : WARNING Invalid command: ['add', 'courierpop3', 'polling']
2009-04-25 21:20:30,398 fail2ban.jail   : INFO   Using poller
2009-04-25 21:20:30,513 fail2ban.filter : INFO   Created Filter
2009-04-25 21:20:30,515 fail2ban.filter : INFO   Created FilterPoll
2009-04-25 21:20:30,527 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
2009-04-25 21:20:30,553 fail2ban.filter : INFO   Set maxRetry = 5
2009-04-25 21:20:30,557 fail2ban.comm   : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'courierpop3login: LOGIN FAILED.*ip=\\[.*:<HOST>\\]']
    I have been getting hit alot. the same address has tried to login 12308, here are a few.

    Code:
    pop3:
    Unknown Entries:
       authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=root:
15 Time(s)
       authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=mysql:
6 Time(s)
       authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=nobody
    my question is can I fix this error so that fail2ban will block these mass attempts.
     
    asus, Apr 29, 2009
    #1
  2. falko

    falko Super Moderator ISPConfig Developer

    Can you post the Courier part of your fail2ban configuration?
     
    falko, Apr 29, 2009
    #2
  3. asus

    asus New Member

    Code:
    [courierpop3]

enabled  = true
port     = pop3
filter   = courierlogin
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath  = /var/log/mail.log
maxretry = 5


[courierimap]

enabled  = true
port     = imap2
filter   = courierlogin
failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath  = /var/log/mail.log
maxretry = 5
     
    asus, Apr 29, 2009
    #3
  4. falko

    falko Super Moderator ISPConfig Developer

    What's in the courierlogin filter in /etc/fail2ban/filter.d/?
     
    falko, Apr 30, 2009
    #4
  5. asus

    asus New Member

    Code:
    #
failregex = LOGIN FAILED, .*, ip=\[<HOST>\]$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
     
    asus, Apr 30, 2009
    #5
  6. falko

    falko Super Moderator ISPConfig Developer

    Hm, not sure if it helps, but can you change
    Code:
    failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
    to
    Code:
    failregex = LOGIN FAILED.*ip=\[.*:<HOST>\]
    and
    Code:
    failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
    to
    Code:
    failregex = LOGIN FAILED.*ip=\[.*:<HOST>\]
    ?
     
    falko, May 1, 2009
    #6
  7. asus

    asus New Member

    sorry to say but the same error keeps coming up.
     
    asus, May 1, 2009
    #7
  8. falko

    falko Super Moderator ISPConfig Developer

    Then I'm at my wit's end... :(
     
    falko, May 2, 2009
    #8
  9. asus

    asus New Member

    I followed the Preventing Brute Force Attacks With Fail2ban On Debian Etch, I'm not sure if you remember but I' am running the perfect ubuntu 8.04 LTS server setup with ispconfig 2. Would this have anything to do with it ? I know ubuntu is based on debian.
     
    asus, May 5, 2009
    #9
  10. falko

    falko Super Moderator ISPConfig Developer

    Might be a problem with Ubuntu, but I can't say for sure...
     
    falko, May 6, 2009
    #10

Share This Page