Hi Jayesh,
Am Samstag, den 17.10.2015, 17:09 +0530 schrieb Jayesh Shinde:
[...]
> I think I am missing something with fail2ban.
> I am looking for immediate source IP blocking after 3 wrong attempt
> for this for pop / imap / smtp login failure.
>
> Can you please share your correct configuration. That will help me to
> understand the regex part matching.
I'm using perdition in front of the cyrus I've testet the banning with
today, so the regex is different.
>From another maschine cyrus with no proxy in front I've attached the
filter based on
https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/cyrus-imap.conf
Check your logs and change the filter to your needs.
> What is your suggestion for below 3 points.
> > > I believe this issue is very common with other too , is there any
> > > option in 'saslauthd' / postfix / cyrus-imapd for below
> > > requirement ?
> > >
> > > 1) If server receive the wrong password , then is it possible to
> > > introduce the delay of say 5-10 seconds to sender client ? So that
> > > spammer will do less attempt ?
Don't know if a kind of throttling is build in, may be third party
products. fail2ban is sufficient for my needs.
> > > 2) After given wrong password attempt more than 3 time , the
> > > particular "IP + email id" must get block for next 5-10 min.
> > > And then need to unblock after that.
This is what fail2ban does. After three bans I do ban the IP for a week
(recidive filter).
> > > 3) I check PAM-ABL , but its not working for 'saslauthd'' with pop /
> > > imap / smtp . Because I came to know that 'saslauthd'' is not getting
> > > IP of source .
> > > How to pass source IP to "saslauthd'' along with email id , password
> > > and relam . Is there any patch available for this ?
Ciao!
>
jail.conf:
[cyrusauth]
enabled = true
port = imap2,imaps,pop3,pop3s
filter = cyrus-imap
logpath = /var/log/mail.log
maxretry = 8
bantime = 3600
cyrus-imap.conf:
# Fail2Ban configuration file
#
# Author: Jan Wagner <waja@xxxxxxxxxxx>
#
# $Revision$
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = : badlogin: .*\[<HOST>\] plaintext .* SASL\(-13\): authentication failure: checkpass failed$
: badlogin: .*\[<HOST>\] plaintext .* SASL\(-13\): user not found: checkpass failed$
: badlogin: .*\[<HOST>\] LOGIN \[SASL\(-13\): authentication failure: checkpass failed\]$
: badlogin: .*\[<HOST>\] (?:CRAM-MD5|NTLM) \[SASL\(-13\): authentication failure: incorrect (?:digest|NTLM) response\]$
: badlogin: .*\[<HOST>\] DIGEST-MD5 \[SASL\(-13\): authentication failure: client response doesn't match what we generated\]$
: badlogin: .*\[<HOST>\] plaintext .* invalid user$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
