Fail2ban

<p>Fail2ban is a program that scans logs for failed login attempts and (temporarily) blocks attempts from IP addresses that fail too many times in a period of time to counter brute force attacs:</p> <ol> <li> <p>Install the fail2ban filter application software on the server running dovecot and postfix:</p> <pre><code class="language-shell">apt install fail2ban</code></pre> </li> <li> <p>Create: <code>/etc/fail2ban/jail.d/dovecot.conf</code> to inform fail2ban to use the dovecot filter (defined in '/etc/fail2ban/filter.d/dovecot.conf'):</p> <pre><code class="language-diff">[dovecot] logpath = %(syslog_mail)s enabled = true</code></pre> <blockquote> <p><em>[dovecot]</em> - Points fail2ban to the corresponding filter: /etc/fail2ban/filter.d/dovecot.conf</p> <p><em>[logpath = %(syslog_mail)s]</em> - Tells fail2ban to log this jail's output to: /var/log/mail.log/</p> <p><em>[enabled] = true</em> - Turns on the filter.</p> </blockquote> </li> <li> <p>Create: <code>/etc/fail2ban/jail.d/postfix.conf</code> to inform fail2ban to use the postfix filter (defined in '/etc/fail2ban/filter.d/dovecot.conf'):</p> <pre><code class="language-diff">[postfix] logpath = %(syslog_mail)s enabled = true</code></pre> </li> <li> <p>Restart fail2ban to have it load the new config files:</p> <pre><code class="language-shell">systemctl restart fail2ban</code></pre> </li> <li> <p>Test whether the jails are loaded by fail2ban:</p> <pre><code class="language-shell">tail /var/log/fail2ban.log</code></pre> <blockquote> <p>The following signals jails to be started:</p> <blockquote> <p>2018-09-29 17:22:49,370 fail2ban.jail [869]: INFO Jail 'postfix' started</p> <p>2018-09-29 17:22:49,375 fail2ban.jail [869]: INFO Jail 'dovecot' started</p> </blockquote> <p>The following signals failed log-in tries:</p> <blockquote> <p>2018-09-29 17:28:35,403 fail2ban.filter [869]: INFO [dovecot] Found 131.124.3.21</p> </blockquote> <p>The following signals actual bans of ip-addresses (after the maximum of failed log-in trials have been reached):</p> <blockquote> <p>2018-09-29 17:28:36,150 fail2ban.actions [869]: NOTICE [dovecot] Ban 131.124.3.21</p> </blockquote> <p>The following signals unbans log-ins of ip-addresses (after the ban-period ended):</p> <blockquote> <p>2018-09-29 17:38:37,008 fail2ban.actions [869]: NOTICE [dovecot] Unban 131.124.3.21</p> </blockquote> </blockquote> </li> </ol>