Using Fail2ban with Dovecot
If you're using Dovecot v1.1 or older, you need to log via syslog. Otherwise log files contain "dovecot: " prefix, which fail2ban doesn't like. v1.2+ no longer have this prefix. You can use syslogging by setting log_path to empty value in dovecot.conf.
Create the filter file /etc/fail2ban/filter.d/dovecot-pop3imap.conf:
[Definition] failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.* ignoreregex =
Add the following to /etc/fail2ban/jail.conf:
[dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] # optionaly mail notification # mail[name=dovecot-pop3imap, dest=root@domain] # see /etc/fail2ban/action.d/ or Fail2Ban doc logpath = /var/log/mail.log maxretry = 20 findtime = 1200 bantime = 1200
For Debian and Ubuntu put this into /etc/fail2ban/jail.local (you should not edit /etc/fail2ban/jail.conf)
[dovecot-pop3imap] enabled = true filter = dovecot-pop3imap port = pop3,pop3s,imap,imaps action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] # optionaly mail notification # mail[name=dovecot-pop3imap, dest=root@domain] # see /etc/fail2ban/action.d/ or Fail2Ban doc logpath = /var/log/mail.log maxretry = 20 findtime = 1200 bantime = 1200
(Set the logpath to wherever your syslog has been configured to log Dovecot's login messages.)
See also the Dovecot page on the Fail2Ban wiki.
See also SSHGuard, which supports dovecot natively.
Note: The iptables-multiport action does not generally work with OpenVPS based VPS's due to a missing Kernel library.