First off, you guys did a great job on the ISPConfig 3 manual - very easy to follow. I just wanted to point out one thing that I noticed. It's in section 6.5 - How Do I Make fail2ban Monitor Additional Services? When I followed that section, I was getting errors like the following in my fail2ban log: Code: fail2ban.comm : WARNING Invalid command: ['set', 'courierimap', 'failregex', 'imapd: LOGIN FAILED.*ip=\\[.*:<HOST>\\]'] I saw those for courierpop3, courierimap, and SASL. I investigated and found that the /etc/fail2ban/jail.conf file for the fail2ban that was downloaded from the Debian repository already had sections for those 3 in it. They just weren't enabled. Further, there were already /etc/fail2ban/filter.d/*.conf files for those sections included. Note: the courier sections were named differently - I think pop3d and imap? I basically followed Thomas's instructions at the bottom of this post to fix it. Edit the conf file: Code: vi /etc/fail2ban/jail.conf Remove the failregex line and update the filter: Code: [courierimap] enabled = true port = imap2 filter = courierlogin failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\] logpath = /var/log/mail.log maxretry = 5 Becomes: Code: [courierimap] enabled = true port = imap2 filter = [B]courierimap[/B] logpath = /var/log/mail.log maxretry = 5 Create a filter file /etc/fail2ban/filter.d/courierimap.conf with the following content: Code: vi /etc/fail2ban/filter.d/courierimap.conf Code: # Fail2Ban configuration file # # $Revision: 100 $ # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\] # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = imapd: LOGIN FAILED.*ip=\[.*127\.0\.0\.1\] BTW, I added ignoreregex to this one because failed squirrelmail logins were generating failed logins on 127.0.0.1 no matter what the end user's IP address really was. Again - great job on the manual - it's been invaluable in getting setup.
