NethServer Version: 7.3.1611
Viewing the imap log file, I see many unauthorized brute-force attempts to login to email server using the user email account, somehow the fail2ban doesn't ban the ip.
In the imap log file. I see a large of this attempts:
Apr 26 10:08:08 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=18.104.22.168, lip=2xx.1xx.2xx.1xx, session=
Apr 26 10:08:10 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=22.214.171.124, lip=2xx.1xx.2xx.1xx, session=<9PeC4hRO7QBuNOvd>
Also the in secure log showing the pam_ssl / many attempts of failed logins. the Jail pam-generic does not seems to watch the pam-generic.service.
Status for the jail: pam-generic
| |- Currently failed: 0
| |- Total failed: 0
- Journal matches: ( NOTHING SHOWING HERE )- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
In the "secure" Log files .. I get these attempts
Apr 24 19:36:36 mail auth: pam_sss(dovecot:auth): received for user rmm@.com: 7 (Authentication failure)
Apr 24 19:36:47 mail auth: pam_sss(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=rmm@.com rhost=126.96.36.199
Any suggestion how to re-configure or setup to ban or block the ip, much appreciated..