Fail2ban is a powerful tool, allowing a sysadmin to slow down brute force attacks. Most mail servers are frequently scanned for user+pasword combination, and if an attacker is able to retrieve it, then he/she can use your server to send SPAM, using the user and password combination found before.
Here comes into place fail2ban, which continuously read log files, and if a log contains a pattern indicating a failed attempt, then it will proceed with an action against the offending IP address.
Fail2ban installation on CentOS 6 is very simple, but it requires epel repository to be enabled. Executing yum install fail2ban will fetch the required files.
To combine fail2ban with dovecot version 2, a pattern match file must be created. The default location of fail2ban configuration files is /etc/fail2ban. The filters are located in /etc/fail2ban/filter.d.
Here is the pattern match file (sample regular expression taken from dovecot site, some names shortened):
The pattern match and the action are put together in /etc/fail2ban/jail.conf, creating a section for dovecot and one for postfix:
If a offending host tries to authenticate too many times and it fails, then an action should be taken. I like blocking tcp connections from the offending host to the server. below is action.d/iptables-multiport-tcp.conf, a file wich is based on the original action.d/iptables-multiport.conf, with small adjustments:
Usually, an attacker will attempt to find passwords using SASL autnentication. Therefore, the SASL authentication mecnanism should be protected too.
When a failed SASL authentication attempt occurs, the SMTP agent will log an error. I usually use postfix for this purpose, so I will create a filter definition:
# chkconfig fail2ban on
After a proper test, fail2ban must be started and activated on boot permanently:
# service fail2ban start