How do I set up fail2ban so that all those pesky pop3 login attempts are taken care of? I am using Ubuntu 9.04 and here's an extract from the pop3 log as I see it in the mails that Logwatch sends:
LOGIN FAILED, user=Administrador, ip=[::ffff:208.115.212.106]: 8 Time(s)
LOGIN FAILED, user=Alfredo, ip=[::ffff:208.115.212.106]: 8 Time(s)
LOGIN FAILED, user=Antonio, ip=[::ffff:208.115.212.106]: 6 Time(s)
LOGIN FAILED, user=Carmelo, ip=[::ffff:208.115.212.106]: 8 Time(s)
LOGIN FAILED, user=access, ip=[::ffff:208.115.212.106]: 7 Time(s)
LOGIN FAILED, user=account, ip=[::ffff:208.115.212.106]: 7 Time(s)
LOGIN FAILED, user=admin, ip=[::ffff:208.115.212.106]: 5 Time(s)
LOGIN FAILED, user=angel, ip=[::ffff:208.115.212.106]: 9 Time(s)
EDIT: I think the solution is to simply change the settings in /etc/fail2ban/jail.conf by enabling courier related jails. Could someone verify this?
Best Answer
I don't like "fail2ban" because it "lives" in userland and has a lot of "moving parts". If you're using iptables on the machine it's fairly trivial to rate-limit new connections from the same IP address.
Assuming you've got higher-up rules in the INPUT chain to allow ESTABLISHED connections through these rules will work to rate-limit incoming new TCP connections to your POP3 port (exceeding 5 in 60 seconds).