NethServer Version: 8
Module: crowdsec
I have been blocking subnets because of excessive imap login attempts.
I am curious if anyone knows why crowdsec does not intercede with continuous auth fail for imap per ip.
Is this something that is “there’“ but not enabled “out of the box”?
I can’t reproduce.
After trying to connect via IMAPS to an NS8 server using wrong credentials, I’m blocked after some attempts:
curl -k -u username:password imaps://1.2.3.4
In case you’re conncting via IMAP using STARTTLS:
curl -k -u username:password --ssl-reqd imap://1.2.3.4
In crowdsec log I can see the ban:
2026-05-04T23:16:14+02:00 [1:crowdsec2:crowdsec2] time="2026-05-04T21:16:14Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 1.2.3.4 (AB/12345) : 12m ban on Ip 1.2.3.4" module=db
verify the containers of crowdsec are running, first thing to do, the second would be to share the log of brute force to understand
in the last you could try to restart crowdsec, but before try to collect evidences
some metrics of crowdsec
±---------------------------------------------------------+
| Local API Decisions |
±-----------------------------±---------±-------±------+
| Reason | Origin | Action | Count |
±-----------------------------±---------±-------±------+
| ssh:bruteforce | CAPI | ban | 6451 |
| crowdsecurity/postscreen-rbl | crowdsec | ban | 1 |
| crowdsecurity/ssh-slow-bf | crowdsec | ban | 3 |
| generic:scan | CAPI | ban | 123 |
| http:bruteforce | CAPI | ban | 732 |
| http:scan | CAPI | ban | 24343 |
| pop3/imap:bruteforce | CAPI | ban | 556 |
| crowdsecurity/ssh-bf | crowdsec | ban | 15 |
| http:crawl | CAPI | ban | 42 |
| http:exploit | CAPI | ban | 342 |
| smtp:spam | CAPI | ban | 156 |
±-----------------------------±---------±-------±------+
I was figured myself why I have no ban from the lapi and most of them from capi, in fact I have really few bruteforce
can you try
journalctl | grep -i “imap-login” | grep -i -E “failed|no auth|aborted|auth failed” | tail -50
I am trying
runagent -m crowdsec1 podman execcrowdsec1 cscli scenarios install melite/dovecot-slow-bf
runagent -m crowdsec1 podman exec crowdsec1 cscli scenarios install melite/dovecot-time-based-bf
runagent -m crowdsec1 podman restart crowdsec1
seems to work
[root@ns8-leader ~]# journalctl | grep dovecot | grep -i "auth failed" | head -3
May 06 18:26:26 ns8-leader dovecot[12702]: pop3-login: Disconnected: Connection closed (auth failed, 1 attempts in 0 secs): user=<info@aubrac-medical.com>, rip=14.225.204.30, lip=37.60.240.69, session=<JdEUoChRIqUO4cwe>
May 06 22:46:48 ns8-leader dovecot[12702]: pop3-login: Disconnected: Connection closed (auth failed, 1 attempts in 0 secs): user=<info@aubrac-medical.com>, rip=14.225.204.30, lip=37.60.240.69, session=<c+syQyxRAIAO4cwe>
May 07 03:05:29 ns8-leader dovecot[12702]: pop3-login: Disconnected: Connection closed (auth failed, 1 attempts in 0 secs): user=<admin@aubrac-medical.com>, rip=14.225.204.30, lip=37.60.240.69, session=<0oRY4C9Rcp4O4cwe>
[root@ns8-leader ~]# runagent -m crowdsec5 podman exec crowdsec5 cscli explain --log 'May 07 03:05:29 ns8-leader dovecot[12702]: pop3-login: Disconnected: Connection closed (auth failed, 1 attempts in 0 secs): user=<admin@aubrac-medical.com>, rip=14.225.204.30, lip=37.60.240.69, session=<0oRY4C9Rcp4O4cwe>' --type syslog -v
line: May 07 03:05:29 ns8-leader dovecot[12702]: pop3-login: Disconnected: Connection closed (auth failed, 1 attempts in 0 secs): user=<admin@aubrac-medical.com>, rip=14.225.204.30, lip=37.60.240.69, session=<0oRY4C9Rcp4O4cwe>
├ s00-raw
| ├ 🔴 crowdsecurity/cri-logs
| ├ 🔴 crowdsecurity/docker-logs
| └ 🟢 crowdsecurity/syslog-logs (+12 ~9)
| └ update evt.ExpectMode : %!s(int=0) -> 1
| └ update evt.Stage : -> s01-parse
| └ update evt.Line.Raw : -> May 07 03:05:29 ns8-leader dovecot[12702]: pop3-login: Disconnected: Connection closed (auth failed, 1 attempts in 0 secs): user=<admin@aubrac-medical.com>, rip=14.225.204.30, lip=37.60.240.69, session=<0oRY4C9Rcp4O4cwe>
| └ update evt.Line.Src : -> /tmp/cscli_explain1284475189/cscli_test_tmp.log
| └ update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2026-05-07 11:34:12.757910253 +0000 UTC
| └ create evt.Line.Labels.type : syslog
| └ update evt.Line.Process : %!s(bool=false) -> true
| └ update evt.Line.Module : -> file
| └ create evt.Parsed.program : dovecot
| └ create evt.Parsed.timestamp : May 07 03:05:29
| └ create evt.Parsed.timestamp8601 :
| └ create evt.Parsed.facility :
| └ create evt.Parsed.logsource : syslog
| └ create evt.Parsed.message : pop3-login: Disconnected: Connection closed (auth failed, 1 attempts in 0 secs): user=<admin@aubrac-medical.com>, rip=14.225.204.30, lip=37.60.240.69, session=<0oRY4C9Rcp4O4cwe>
| └ create evt.Parsed.pid : 12702
| └ create evt.Parsed.priority :
| └ update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2026-05-07 11:34:12.758002585 +0000 UTC
| └ update evt.StrTime : -> May 07 03:05:29
| └ create evt.Meta.datasource_path : /tmp/cscli_explain1284475189/cscli_test_tmp.log
| └ create evt.Meta.datasource_type : file
| └ create evt.Meta.machine : ns8-leader
├ s01-parse
| ├ 🔴 crowdsecurity/apache2-logs
| └ 🟢 crowdsecurity/dovecot-logs (+8 ~1)
| └ update evt.Stage : s01-parse -> s02-enrich
| └ create evt.Parsed.dovecot_user : admin@aubrac-medical.com
| └ create evt.Parsed.protocol : pop3
| └ create evt.Parsed.dovecot_local_ip : 37.60.240.69
| └ create evt.Parsed.dovecot_login_message : Disconnected: Connection closed (auth failed, 1 attempts in 0 secs)
| └ create evt.Parsed.dovecot_remote_ip : 14.225.204.30
| └ create evt.Meta.dovecot_login_result : auth_failed
| └ create evt.Meta.log_type : dovecot_logs
| └ create evt.Meta.source_ip : 14.225.204.30
├ s02-enrich
| ├ 🟢 crowdsecurity/dateparse-enrich (+2 ~2)
| ├ create evt.Enriched.MarshaledTime : 2026-05-07T03:05:29Z
| ├ update evt.Time : 2026-05-07 11:34:12.758002585 +0000 UTC -> 2026-05-07 03:05:29 +0000 UTC
| ├ update evt.MarshaledTime : -> 2026-05-07T03:05:29Z
| ├ create evt.Meta.timestamp : 2026-05-07T03:05:29Z
| ├ 🟢 crowdsecurity/geoip-enrich (+13)
| ├ create evt.Enriched.ASNOrg : VIETNAM POSTS AND TELECOMMUNICATIONS GROUP
| ├ create evt.Enriched.IsInEU : false
| ├ create evt.Enriched.IsoCode : VN
| ├ create evt.Enriched.Longitude : 105.846100
| ├ create evt.Enriched.ASNumber : 135905
| ├ create evt.Enriched.Latitude : 21.018400
| ├ create evt.Enriched.SourceRange : 14.225.0.0/16
| ├ create evt.Enriched.ASNNumber : 135905
| ├ create evt.Meta.ASNOrg : VIETNAM POSTS AND TELECOMMUNICATIONS GROUP
| ├ create evt.Meta.IsInEU : false
| ├ create evt.Meta.SourceRange : 14.225.0.0/16
| ├ create evt.Meta.ASNNumber : 135905
| ├ create evt.Meta.IsoCode : VN
| ├ 🔴 crowdsecurity/http-logs
| ├ 🔴 nethserver/nethvoice-whitelist-http-probing
| ├ 🔴 crowdsecurity/nextcloud-whitelist
| ├ 🟢 crowdsecurity/public-dns-allowlist (unchanged)
| └ 🟢 crowdsecurity/whitelists (unchanged)
├-------- parser success 🟢
├ Scenarios
├ 🟢 crowdsecurity/dovecot-spam
├ 🟢 melite/dovecot-slow-bf
├ 🟢 melite/dovecot-slow-bf_user-enum
├ 🟢 melite/dovecot-time-based-bf
└ 🟢 melite/dovecot-time-based-bf_user-enum
[root@ns8-leader ~]# journalctl | grep dovecot | grep "14.225.204.30"
May 06 18:26:26 ns8-leader dovecot[12702]: pop3-login: Disconnected: Connection closed (auth failed, 1 attempts in 0 secs): user=<info@aubrac-medical.com>, rip=14.225.204.30, lip=37.60.240.69, session=<JdEUoChRIqUO4cwe>
May 06 22:46:48 ns8-leader dovecot[12702]: pop3-login: Disconnected: Connection closed (auth failed, 1 attempts in 0 secs): user=<info@aubrac-medical.com>, rip=14.225.204.30, lip=37.60.240.69, session=<c+syQyxRAIAO4cwe>
May 07 03:05:29 ns8-leader dovecot[12702]: pop3-login: Disconnected: Connection closed (auth failed, 1 attempts in 0 secs): user=<admin@aubrac-medical.com>, rip=14.225.204.30, lip=37.60.240.69, session=<0oRY4C9Rcp4O4cwe>
May 07 07:24:42 ns8-leader dovecot[12702]: pop3-login: Disconnected: Connection closed (auth failed, 1 attempts in 0 secs): user=<support@aubrac-medical.com>, rip=14.225.204.30, lip=37.60.240.69, session=<Zj9hfzNRPNwO4cwe>
May 07 11:43:41 ns8-leader dovecot[12702]: pop3-login: Disconnected: Connection closed (auth failed, 1 attempts in 0 secs): user=<admin@aubrac-medical.com>, rip=14.225.204.30, lip=37.60.240.69, session=<lJeOHTdRVMQO4cwe>
[root@ns8-leader ~]#
Here is the comparison of the 3 scenarios:
Tier 1 — fast attack: 4 failures within 24 minutes → immediate ban
Tier 2 — slow attack: attempts spaced 7–30 minutes apart, 4 failures over 3h max → ban
Tier 3 — evasive attack: median interval between attempts ≥20min (e.g. one try per hour) → alert but no ban
Apology, a few weeks ago I had pulled the ip list out of the logs and blocked them at the gateway. I just thought of it when I made this post. They should have been blocked based on the above condition. It was a dictionary list of name attempts. I saw it because I do a search for fail and error occasionally. About 24 hours ago I stopped the block rule and now only one of the ip in the list is hitting but it’s not making auth attempts yet. Otherwise crowdsec is working as expected for web and postfix. I’ll keep an eye on this and follow up when I have something. The logs have rotated out so I have nothing for external. When I get a chance I’ll make auth attempts myself sometime soon.
I have released the new version of crowdsec with the work of @mrmarkuz, now you can see the ban of crowdsec inside grafana, you can enable grafana in settings/metrics
Why? Is there something of value with grafana? I can see everything I need in the ns log ui fine.
I disabled grafana/metrics because it’s not helpful to me and is causing me problems, though, even disabled it still causes problems.
In the UI you can just enable/disable Grafana access, metrics/prometheus is always running. You may open another support topic…
There’s already one open, it seems it’s to be a won’t fix. Thanks.
2026-05-07T11:07:03-07:00 [1:mail1:dovecot] auth-worker(43480): conn unix:auth-worker (pid=43479,uid=90): auth-worker<1>: ldap(h,174.201.233.231,<TnTBJT5RQvmuyenn>): unknown user
2026-05-07T11:07:09-07:00 [1:mail1:dovecot] auth-worker(43480): conn unix:auth-worker (pid=43479,uid=90): auth-worker<2>: ldap(h,174.201.233.231,<TnTBJT5RQvmuyenn>): unknown user
2026-05-07T11:07:11-07:00 [1:mail1:dovecot] imap-login: Disconnected: Connection closed (auth failed, 2 attempts in 8 secs): user=<h>, method=PLAIN, rip=174.201.233.231, lip=192.168.23.122, TLS, session=<TnTBJT5RQvmuyenn>
2026-05-07T11:15:09-07:00 [1:mail1:dovecot] imap-login: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=174.201.233.231, lip=192.168.23.122, TLS handshaking, session=<C6y0Qj5RSfmuyenn>
2026-05-07T11:22:49-07:00 [1:mail1:dovecot] imap-login: Disconnected: Connection closed (no auth attempts in 1 secs): user=<>, rip=174.201.233.231, lip=192.168.23.122, TLS, session=<77wfXj5RVvmuyenn>
2026-05-07T11:22:55-07:00 [1:mail1:dovecot] auth-worker(43582): conn unix:auth-worker (pid=43580,uid=90): auth-worker<10>: ldap(j,174.201.233.231,<A0KDXj5RMfWuyenn>): unknown user
2026-05-07T11:23:01-07:00 [1:mail1:dovecot] auth-worker(43582): conn unix:auth-worker (pid=43580,uid=90): auth-worker<11>: ldap(j,174.201.233.231,<A0KDXj5RMfWuyenn>): unknown user
2026-05-07T11:23:03-07:00 [1:mail1:dovecot] imap-login: Disconnected: Connection closed (auth failed, 2 attempts in 8 secs): user=<j>, method=PLAIN, rip=174.201.233.231, lip=192.168.23.122, TLS, session=<A0KDXj5RMfWuyenn>
2026-05-07T11:23:03-07:00 [1:crowdsec1:crowdsec1] time="2026-05-07T18:23:03Z" level=info msg="Ip 174.201.233.231 performed 'crowdsecurity/dovecot-spam' (6 events over 15m59.617975319s) at 2026-05-07 18:23:03.464118831 +0000 UTC"
2026-05-07T11:23:03-07:00 [1:crowdsec1:crowdsec1] time="2026-05-07T18:23:03Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 174.201.233.231 (US/6167) : 32m ban on Ip 174.201.233.231" module=db
I tried and failed, my external ip got banned for spam, obviously cs is on top of imap but it’s not blocking for rate of fail. The logs from a couple of weeks ago showed dozens of attempts again and agian with different user names like hr, etc., there were no blocks so I pulled the ips and dropped them into a block rule in the gateway. Now that I’ve paused the block rule they won’t try, idk. I’ll keep an eye on it going forward and revisit this post.
CrowdSec will quickly block direct IMAP brute-force attempts happening within a short timeframe. However, the official scenario is not very effective against slow brute-force attacks.
For SSH, we already have dedicated scenarios to detect slow brute-force behavior, but there is currently no equivalent for Dovecot. The additional scenario I installed is intended to address that gap.
From what I’ve read, it should be safe to use because it only adds a new scenario and still relies on the official parsers.
In short, it is basically a leaky bucket with a much longer time window.
for what I can see it works as it should, look after melite
+--------------------------------------------------------------------+
| Local API Decisions |
+----------------------------------------+----------+--------+-------+
| Reason | Origin | Action | Count |
+----------------------------------------+----------+--------+-------+
| generic:scan | CAPI | ban | 112 |
| http:bruteforce | CAPI | ban | 507 |
| http:exploit | CAPI | ban | 260 |
| http:scan | CAPI | ban | 19999 |
| crowdsecurity/postfix-non-smtp-command | crowdsec | ban | 1 |
| crowdsecurity/ssh-bf | crowdsec | ban | 13 |
| crowdsecurity/ssh-slow-bf | crowdsec | ban | 1 |
| melite/dovecot-slow-bf | crowdsec | ban | 5 |
| http:crawl | CAPI | ban | 42 |
| pop3/imap:bruteforce | CAPI | ban | 225 |
| smtp:spam | CAPI | ban | 204 |
| ssh:bruteforce | CAPI | ban | 5484 |
| melite/dovecot-slow-bf_user-enum | crowdsec | ban | 5 |
+----------------------------------------+----------+--------+-------+