Hi everybody. This is just an FYI in case others are having this problem.
I have some domains that I’ve been using for email since 1996. Pretty much every minute of every hour of the day they get a barrage of failed IMAP login attempts by bots from IP addresses all over the globe. After switching them to a new Hestia installation (on Debian 10) I noticed that multiple failed login attempts by the same IP address were not being caught by Hestia’s default fail2ban configuration. I was seeing a ton of “unknown user” messages in dovecot.log by many of the same IP addresses, sometimes 4 or 5 within the same minute from the same IP.
So I did a little checking and found this SpiceWorks thread from 2019 by someone having the same problem with their Vesta installation . One response gave the solution to the problem:
I just fought with the same issue. Mine was as simple as updating jail.local to have backend = polling for exim and dovecot.
Since adding backend = polling
to the “dovecot-iptables” and “exim-iptables” jails in jail.local, failed login attempts have been dramatically reduced. If you’re having this problem too, give this a try.
As a side note: Personally, I like to configure fail2ban rather aggressively . In jail.conf I set maxretry = 2
, findtime = 2d
, and bantime = 6h
. (So if the same IP address tries two failed logins within a two day period, it will get banned for 6 hours.) Then I set the “recidive” jail in jail.local to maxretry = 1
, findtime = 4d
, and bantime = 14d
. For that 14 day setting to work, you also have to add dbpurgeage = 15d
in fail2ban.conf.
Happy New Year!
–Dan