FAIL2BAN does not block brute force attacks
FAIL2BAN does not block brute force attacks
I am getting this warnings:
root@mx3:/# tail -f /var/log/exim4/mainlog
2016-09-23 19:40:42 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=laurie)
2016-09-23 19:40:42 no host name found for IP address 119.56.129.3
2016-09-23 19:41:00 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=margaret)
2016-09-23 19:41:00 no host name found for IP address 119.56.129.3
2016-09-23 19:41:19 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=maria)
2016-09-23 19:41:19 no host name found for IP address 119.56.129.3
2016-09-23 19:41:37 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=mariah)
2016-09-23 19:41:37 no host name found for IP address 119.56.129.3
2016-09-23 19:41:55 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=marie)
2016-09-23 19:41:55 no host name found for IP address 119.56.129.3
2016-09-23 19:42:14 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=marilyn)
2016-09-23 19:42:14 no host name found for IP address 119.56.129.3
2016-09-23 19:42:32 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=marina)
2016-09-23 19:42:32 no host name found for IP address 119.56.129.3
2016-09-23 19:42:50 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=marine)
What can I do to block these faudulent login attempts to dovecot accounts?
root@mx3:/# tail -f /var/log/exim4/mainlog
2016-09-23 19:40:42 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=laurie)
2016-09-23 19:40:42 no host name found for IP address 119.56.129.3
2016-09-23 19:41:00 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=margaret)
2016-09-23 19:41:00 no host name found for IP address 119.56.129.3
2016-09-23 19:41:19 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=maria)
2016-09-23 19:41:19 no host name found for IP address 119.56.129.3
2016-09-23 19:41:37 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=mariah)
2016-09-23 19:41:37 no host name found for IP address 119.56.129.3
2016-09-23 19:41:55 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=marie)
2016-09-23 19:41:55 no host name found for IP address 119.56.129.3
2016-09-23 19:42:14 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=marilyn)
2016-09-23 19:42:14 no host name found for IP address 119.56.129.3
2016-09-23 19:42:32 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=marina)
2016-09-23 19:42:32 no host name found for IP address 119.56.129.3
2016-09-23 19:42:50 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=marine)
What can I do to block these faudulent login attempts to dovecot accounts?
Re: FAIL2BAN does not block brute force attacks
This topic may help you --> viewtopic.php?f=10&t=9040&p=30273#p30273
or you can try to add some filters to /etc/fail2ban/filter.d/exim.conf
^\[<HOST>\]: 535 Incorrect authentication data -- this additional line
or you can try to add some filters to /etc/fail2ban/filter.d/exim.conf
Code: Select all
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: Unrouteable address\s*$
^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by local_scan\(\): .{0,256}$
^\[<HOST>\]: 535 Incorrect authentication data