Fail2ban and email server on NS6...Workable?

Lastly I did a huge update on fail2ban to ban attacker on NS7, I don’t know, I’m not sure if fail2ban does its job well on ns6 for the email stack.

Could you please monitor some specific logs

in /var/log/imap for example

Apr 27 18:57:48 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=, lip=207......, session=<+f+EZjBO4wB54i7w>

 Apr 27 21:59:30 mail dovecot: pop3-login: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=, lip=207......, session=<s9JN8DJONwBzf1Ii>

in /var/log/secure for example

Apr 24 19:35:50 mail auth: pam_sss(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=reg...@fara.... rhost= user=regg...@far....

in /var/log/maillog for example

 May 1 21:05:17 mail postfix/smtpd[17639]: connect from
 May 1 21:05:18 mail postfix/smtpd[17639]: lost connection after AUTH
from unknown[]

Anyways you should look after all odd and repetitive lines

you can see if the fail2ban works by the command ‘fail2ban-listban’

of course a jail set to zero banned…it is not a good sign. After each service restart the statistics are set to zero.

1 Like