Fail2Ban - blocking brute force attacks against Dovecot

Recently I noticed an absolute deluge of failed logins to Dovecot, thousands of attempts - here is a small snippet:

Jan 22 07:07:46 localhost dovecot: pop3-login: Aborted login (auth failed, 1 attempts):
user=<administrateur>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x
Jan 22 07:07:46 localhost dovecot: pop3-login: Aborted login (auth failed, 1 attempts):
user=<administrator>, method=PLAIN, rip=64.31.13.148, lip=74.50.57.116
Jan 22 07:07:48 localhost dovecot: pop3-login: Aborted login (auth failed, 1 attempts):
user=<admin>, method=PLAIN, rip=64.31.13.148, lip=74.50.57.116

This worried me since I was the only one using it on my server.  On closer inspection it turned out to be a brute force attack from a machine in Dallas, Texas.  I sent the owner of the IP address a polite message which I fully expect to be ignored, then set about securing myself against the disreputable so-and-so.

My first thought was to just block the IP... but that only works until someone else does it.  So I installed Fail2Ban instead, which simply parses log files looking for failed logins.  Once a preset number of fails is reached, Fail2Ban adds the IP address to a ban list, and optionally emails you to let you know.  Simple and effective.

The procedure to install and configure it to look after Dovecot (in my case anyway), on Ubuntu 10.04LTS, is as follows (with thanks to the Dovecot wiki and Fail2Ban's setup pages): 

sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo vim /etc/fail2ban/jail.local

then add the following section to the jail.local file:

 

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
port = pop3,pop3s,imap,imaps
logpath = /var/log/mail.log
maxretry = 20
findtime = 1200
bantime = -1

Also change the line marked destemail = to something you can receive, and the line action = %(action)s to read action = %(action_mw)s this way you will get warning emails when the system blocks someone (I also get notifications about the system starting and stopping).

Note: The logpath entry should be wherever Dovecot is sending its logs... in my case to the standard mail.log.

Note 2: The bantime entry is the number of seconds to ban the IP for.  Setting it to -1 makes it permanent.

Now we need to define the dovecot-pop3imap filter, by doing the following:

sudo vim /etc/fail2ban/filter.d/dovecot-pop3imap.conf

and add the following to the file (it will probably not have existed before, so its likely to be empty):

 

[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =

Now simply restart Fail2Ban (sudo /etc/init.d/fail2ban restart) and wait.  If, like me, you're still being bombarded with brute force attempts then you should get an email telling you a user has been banned fairly shortly - but you can also check the fail2ban log file if you're not setting it up to send emails - just do a sudo tail /var/log/fail2ban.log and check for any bannings.

Thats all there is to it :)