Yet more with Fail2Ban

So yesterday, I thought I was all good on Fail2Ban today’s logcheck emails show there were still problems with Dovecot.

But looking at the block chain, I see traffic going in to the chain and come back out without hitting the filters…

Ok so what the frack is going on. I know things are set right, or I should say “I think things are set right”. Then it hit me. These are login attacks on port 25, not on port a normal Dovecot port. I already solved this… But I wanted confirmation first. So TCPDUMP on the most recent IP address in the /var/log/fail2ban.log

Yep there it is. It’s on port 25.

I looked at turning on the Postfix filters in Fail2Ban, but those are looking for From errors, not auth errors. So I added port 25 (SMTP) and 465 (SSMTP) to my dovecot filter. Here is what that looks like now in server-defaults.conf

And look it’s working

Hopefully now I can get back to blogging about my Home Lab.

Leave a Reply

Your email address will not be published. Required fields are marked *