On Thu, 25 Jan 2007 14:24:47 -0800, Quinn Comendant wrote:
> These are md5-digest (I think) password failures, followed by
> plaintext password success. These are all honest valid users, and it
> is normal. I think they all use a POP3 client (maybe Apple Mail) that
> first tries md5-digest, and if it doesn't work, uses plaintext. The
> paradox is that fail2ban must scan the logs for password failures to
> detect which IP address to block. But because of these "honest"
> password failures there is no way to detect the difference between a
> robot trying wrong password, and a "helpful" POP3 client trying a
> wrong auth method
I can answer my own question here. Vpopmail logs a 'user not found' error that
can be used by fail2ban, for example:
Jan 21 09:50:12 mx vpopmail[27939]: vchkpw-pop3: vpopmail user not found
forum@:24.220.50.36
Jan 21 09:50:13 mx vpopmail[27943]: vchkpw-pop3: vpopmail user not found
news@:24.220.50.36
Jan 21 09:50:17 mx vpopmail[27958]: vchkpw-pop3: vpopmail user not found
operator@:24.220.50.36
Jan 21 09:50:17 mx vpopmail[27959]: vchkpw-pop3: vpopmail user not found
sales@:24.220.50.36
Jan 21 09:50:18 mx vpopmail[27964]: vchkpw-pop3: vpopmail user not found
operator@:24.220.50.36
Q
|