Dovecot is being brute forced

[password]

Hi there

I have a lot of brute force attempts on Dovecot on one of my servers. Sometimes they resolve to an IP and most of the time they show up as loopback.

I'm using CSF on this server and have denied all IP's using the "Quick deny" field. Still i have brute force attempts from the same IP. Will CSF not block Dovecot attempts?

How do i go about protecting my webmail to avoid ugly 127.0.0.1 attempts? Is there captcha for roundcube/squirrelmail etc or is there any other good solution?

Regards
Password

 

[password]

These attacks still continue. Just a couple of minutes ago they came from 41.251.118.105, and this IP is already in my deny file.
They are targeting 3-4 emails that has over 1000 failed logins each.

I'm sure there must be somebody else that had the same issues with brute force on Dovecot? How did you solve it?

 

[password]

I found this plugin for roundcube: http://mattrude.com/projects/roundcube-fail2ban-plugin/ that works with fail2ban. Will give that a go now!

 

[password]

Really simple installation! Never used fail2ban before but now it's activated and integrated with roundcube. Let's see if that helps...

 

[ditto]

...I'm using CSF on this server and have denied all IP's using the "Quick deny" field. Still i have brute force attempts from the same IP. Will CSF not block Dovecot attempts?

I am also using csf/lfd, but have never experienced that a ip that I block is still allowed any access to the server and to try bruteforce. Maybe you should look into why csf is not actually blocking the ip? Could be something wrong with your csf/lfd settings?

 

[password]

It does block 80 + 443, but apparently not 110 + 143. Perhaps something in the config file that needs adjusting?

 

[cphipps]

dovecot fix for DA

I know this is an old thread, but I wanted to pass this along to anyone that needs help. If your log file for dovecot reads like this,

Feb 20 15:21:08 SERVERNAME dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=<NAME>, method=PLAIN, rip=IPADDRESS, lip=IPADDRESS

you can add the following to your regex.custom.pm:

#dovecot_rp
        if (($config{LF_POP3D}) and ($lgfile eq $config{POP3D_LOG}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+.*dovecot(\[\d+\])?: pop3-login: (Aborted login|Disconnected)( \(auth failed, \d+ attempts in \d+ secs\):)? (user=(<\S*>)?, )?method=\S+, rip=(\S+), lip=.*/)) {
        $ip = $7; $acc = $6; $ip =~ s/^::ffff://; $acc =~ s/^<|>$//g;
                if (&checkip($ip)) {return ("Failed POP3 login from","$ip|$acc","pop3d")} else {return}
        }
        if (($config{LF_IMAPD}) and ($lgfile eq $config{IMAPD_LOG}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+.*dovecot(\[\d+\])?: imap-login: (Aborted login|Disconnected)( \(auth failed, \d+ attempts in \d+ secs\):)? (user=(<\S*>)?, )?method=\S+, rip=(\S+), lip=.*/)) {
        $ip = $7; $acc = $6; $ip =~ s/^::ffff://; $acc =~ s/^<|>$//g;
                if (&checkip($ip)) {return ("Failed IMAP login from","$ip|$acc","imapd")} else {return}
        }

This will capture dovecot information.. also, by adding it to the custom.pm file, even if csf updates, the regex still works.