ok my email server is getting hit really hard. and my fail2ban still spits out this error . Code: 2009-04-26 06:45:55,346 fail2ban.comm : WARNING Invalid command: ['add', 'courierpop3', 'polling'] 2009-04-25 21:20:30,398 fail2ban.jail : INFO Using poller 2009-04-25 21:20:30,513 fail2ban.filter : INFO Created Filter 2009-04-25 21:20:30,515 fail2ban.filter : INFO Created FilterPoll 2009-04-25 21:20:30,527 fail2ban.filter : INFO Added logfile = /var/log/mail.log 2009-04-25 21:20:30,553 fail2ban.filter : INFO Set maxRetry = 5 2009-04-25 21:20:30,557 fail2ban.comm : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'courierpop3login: LOGIN FAILED.*ip=\\[.*:<HOST>\\]'] I have been getting hit alot. the same address has tried to login 12308, here are a few. Code: pop3: Unknown Entries: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root: 15 Time(s) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=mysql: 6 Time(s) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=nobody my question is can I fix this error so that fail2ban will block these mass attempts.
Code: [courierpop3] enabled = true port = pop3 filter = courierlogin failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\] logpath = /var/log/mail.log maxretry = 5 [courierimap] enabled = true port = imap2 filter = courierlogin failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\] logpath = /var/log/mail.log maxretry = 5
Code: # failregex = LOGIN FAILED, .*, ip=\[<HOST>\]$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
Hm, not sure if it helps, but can you change Code: failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\] to Code: failregex = LOGIN FAILED.*ip=\[.*:<HOST>\] and Code: failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\] to Code: failregex = LOGIN FAILED.*ip=\[.*:<HOST>\] ?
I followed the Preventing Brute Force Attacks With Fail2ban On Debian Etch, I'm not sure if you remember but I' am running the perfect ubuntu 8.04 LTS server setup with ispconfig 2. Would this have anything to do with it ? I know ubuntu is based on debian.