Fail2ban ignoring IMAP failed logins? Try this

Hi everybody. This is just an FYI in case others are having this problem.

I have some domains that I’ve been using for email since 1996. Pretty much every minute of every hour of the day they get a barrage of failed IMAP login attempts by bots from IP addresses all over the globe. After switching them to a new Hestia installation (on Debian 10) I noticed that multiple failed login attempts by the same IP address were not being caught by Hestia’s default fail2ban configuration. I was seeing a ton of “unknown user” messages in dovecot.log by many of the same IP addresses, sometimes 4 or 5 within the same minute from the same IP.

So I did a little checking and found this SpiceWorks thread from 2019 by someone having the same problem with their Vesta installation :smile:. One response gave the solution to the problem:

I just fought with the same issue. Mine was as simple as updating jail.local to have backend = polling for exim and dovecot.

Since adding backend = polling to the “dovecot-iptables” and “exim-iptables” jails in jail.local, failed login attempts have been dramatically reduced. If you’re having this problem too, give this a try.

As a side note: Personally, I like to configure fail2ban rather aggressively :grin:. In jail.conf I set maxretry = 2, findtime = 2d, and bantime = 6h. (So if the same IP address tries two failed logins within a two day period, it will get banned for 6 hours.) Then I set the “recidive” jail in jail.local to maxretry = 1, findtime = 4d, and bantime = 14d. For that 14 day setting to work, you also have to add dbpurgeage = 15d in fail2ban.conf.

Happy New Year!