Email accounts are generally protected using weak passwords, and yet those same email accounts are used for receiving password reminders, personal details, email to family and friends and so on.
It is also getting more common for people to leave email online in "the cloud" rather than download all mail using an email client. This combination makes a tempting target for attackers. If they can access your email, they can gain a great deal of useful information.
Aside from protecting privacy, brute force attacks against your server fill up the log files and waste server resources and in some cases can cause service disruption.
There are may ways to stop this problem escalating, one of the simplest is to use Fail2Ban.
To install fail2ban using Yum you will need to add a repository as Fail2Ban is not included in CentOS by default. ATrpms and rpmforge are both suitable.
Then as root, run:
yum install fail2ban
Fail2Ban is not yet running. You can check this using
service fail2ban status
Firstly we will tidy up the defaults. Edit /etc/fail2ban/fail2ban.conf and replace the email address of "dest" and "sender" to be the addresses you want the notification emails to go to and come from or else comment out the sendmail line if you do not wish to receive email notifications.
Next enable or disable other services that come with Fail2Ban that you want enabled or disabled, such as sshd, proftpd, exim etc.
I save my logs to /var/log/fail2ban.log. If you want to do this set the value of logtarget in /etc/fail2ban/fail2ban.conf
logtarget = /var/log/fail2ban.log
Now we need to create new configuration files for Dovecot as this service is not configured out of the box.
Add the following lines
[Definition] failregex = dovecot: auth-worker\(default\): sql\(.*,
\): unknown user dovecot: (pop3|imap)-login: Aborted login \(.*\): .*, \[ \] dovecot: (pop3|imap)-login: Disconnected \(auth failed, .*\): .*, \[ \] dovecot: auth\(default\): passdb\(.*, \)\: Attempted login with password having illegal chars dovecot: (pop3|imap)-login: Disconnected \(auth failed, .*\): .*, \[ \] dovecot: (pop3|imap)-login: Aborted login: .*, \[ \] ignoreregex =
Now open the existing /etc/fail2ban/jail.conf and add to the bottom the following lines
[dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] sendmail-whois[name=dovecot-pop3imap, dest=root, email@example.com] logpath = /var/log/maillog maxretry = 20 findtime = 1200 bantime = 1200
And change the values of dest and sender in the sendmail command.
And start Fail2Ban using:
service fail2ban start
And make sure it is started at boot time
chkconfig fail2ban --level=235 on
You should get an email stating "The jail dovecot-pop3imap has been started successfully.".
service fail2ban status
should show you
Status |- Number of jail: 1 `- Jail list: dovecot-pop3imap
You can see the attacks getting blocked in /var/log/messages or /var/log/fail2ban.log depending on your value of logtarget in /etc/fail2ban/fail2ban.conf