thanx john ----- Original Message ---- > From: John Lundin <lundin@xxxxxxxx> > > john, could u share your rules for the dovecot attempts?t > > > Since no one else has stepped up... here's dovecot and vsftpd. > > These worked for me, ymmv. Centos 5 with rpmforge. Folded, failregex > should be a single line with a space between ":" and "authentication". > > > /etc/fail2ban/filter.d/dovecot.conf > > [Definition] > failregex = dovecot-auth: pam_unix\(dovecot:auth\): > authentication failure; .* rhost=(?:\s+user=\S*)?\s*$ > ignoreregex = > > > /etc/fail2ban/filter.d/vsftpd.conf > > [Definition] > failregex = vsftpd: pam_unix\(vsftpd:auth\): > authentication failure; .* rhost=(?:\s+user=\S*)?\s*$ > ignoreregex = > > > > And changes to /etc/fail2ban/jail.conf. (Note that you also want to > change the sendmail actions to use valid email addresses...) > > diff --git a/jail.conf b/jail.conf > index b74320f..a726947 100644 > --- a/jail.conf > +++ b/jail.conf > @@ -113,7 +113,7 @@ bantime = 300 > enabled = false > filter = vsftpd > action = sendmail-whois[name=VSFTPD, dest=you@xxxxxxxx] > -logpath = /var/log/vsftpd.log > +logpath = /var/log/secure > maxretry = 5 > bantime = 1800 > > @@ -121,11 +121,11 @@ bantime = 1800 > > [vsftpd-iptables] > > -enabled = false > +enabled = true > filter = vsftpd > action = iptables[name=VSFTPD, port=ftp, protocol=tcp] > sendmail-whois[name=VSFTPD, dest=you@xxxxxxxx] > -logpath = /var/log/vsftpd.log > +logpath = /var/log/secure > maxretry = 5 > bantime = 1800 > > @@ -203,3 +203,25 @@ action = iptables-multiport[name=Named, > port="domain,953", protocol=tcp] > logpath = /var/log/named/security.log > ignoreip = 168.192.0.1 > > +[dovecot-notification] > + > +enabled = false > +filter = dovecot > +action = sendmail-whois[name=Dovecot, dest=you@xxxxxxxx] > +logpath = /var/log/secure > +maxretry = 5 > +bantime = 1800 > + > +# Same as above but with banning the IP address. > + > +[dovecot-iptables] > + > +enabled = true > +filter = dovecot > +action = iptables-multiport[name=Dovecot, port="pop3,pop3s,imap,imaps", > protocol=tcp] > + sendmail-whois[name=Dovecot, dest=you@xxxxxxxx] > +logpath = /var/log/secure > +maxretry = 5 > +bantime = 1800 > +#ignoreip = 168.192.0.1 > + > > > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos