Hi everybody. This is just an FYI in case others are having this problem.
I have some domains that I’ve been using for email since 1996. Pretty much every minute of every hour of the day they get a barrage of failed IMAP login attempts by bots from IP addresses all over the globe. After switching them to a new Hestia installation (on Debian 10) I noticed that multiple failed login attempts by the same IP address were not being caught by Hestia’s default fail2ban configuration. I was seeing a ton of “unknown user” messages in dovecot.log by many of the same IP addresses, sometimes 4 or 5 within the same minute from the same IP.
So I did a little checking and found this SpiceWorks thread from 2019 by someone having the same problem with their Vesta installation . One response gave the solution to the problem:
I just fought with the same issue. Mine was as simple as updating jail.local to have backend = polling for exim and dovecot.
backend = polling to the “dovecot-iptables” and “exim-iptables” jails in jail.local, failed login attempts have been dramatically reduced. If you’re having this problem too, give this a try.
As a side note: Personally, I like to configure fail2ban rather aggressively . In jail.conf I set
maxretry = 2,
findtime = 2d, and
bantime = 6h. (So if the same IP address tries two failed logins within a two day period, it will get banned for 6 hours.) Then I set the “recidive” jail in jail.local to
maxretry = 1,
findtime = 4d, and
bantime = 14d. For that 14 day setting to work, you also have to add
dbpurgeage = 15d in fail2ban.conf.
Happy New Year!