If you are getting any brute force attacks to your dovecot imap/pop3 server, install fail2ban to block the offenders. This works on CentOs 5.7. For other distributions, see the relevant websites.
Firstly, install fail2ban. You should have the rpmforge repo from my previous post. Enable it first to install fail2ban:
# cd /etc/yum.repos.d/
# vi rpmforge.repo
Change it to enabled = 1 and save
Then it’s simple:
# yum install fail2ban
After installation I recommend disabling the repo. Edit the file and change to enabled = 0
Then make sure the service starts up:
# chkconfig --add fail2ban
# chkconfig fail2ban on
# service fail2ban start
Create a new filter file for your dovecot:
# vi /etc/fail2ban/filter.d/dovecot-pop3imap.conf
Paste in the following definition:
[Definition]
failregex = pam.*dovecot.*(?:authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*)
ignoreregex =
Then add the new information to the main config file:
# vi /etc/fail2ban/jail.conf
At the end, add the following:
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
# optional mail notification
# mail[name=dovecot-pop3imap, dest=root@domain]
# see /etc/fail2ban/action.d/ or Fail2Ban doc
logpath = /var/log/secure
maxretry = 20
findtime = 1200
bantime = 1200
That’s it!