I was fed up with all the dictionary attacks on POP3. So I decided to lookup configuring Fail2ban on that port.

First off, always remember to save your iptables: service iptables save

Next, I located the jail.local file saved under /etc/fail2ban. This file is a copy of the original /etc/fail2ban/jail.conf which I want to leave untouched.

Based on the following code, I will modify it to follow the current filters in my jail.local file. So that:

[courierauth]

enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
logpath = /var/log/mail.log

Will turn into this:

[pop3]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
action = iptables[name=POP3, port="smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s" protocol=tcp]
sendmail-whois[name=POP3, dest=anna@ffdepot.com, sender=fail2ban@ffdepot.com]
logpath = /var/log/maillog
maxretry = 3
ignoreip = 184.7.254.24 202.62.124.147 200.74.244.86 127.0.0.1

The newly revised code is enabled and scans the default mail ports. It creates a jail called POP3 and scans the appropriate mail log specified by logpath. The maxretry before banning is set to 3 tries. Fail2ban will then email the whois info of the IP to me, similar to what it does for SSH attempts today. The filter calls on /etc/fail2ban/filter.d/courierlogin.conf which contains the regex format which Fail2ban uses to scan mail log entries:

failregex = LOGIN FAILED, .*, ip=\[\]$

Once the jail.local file is saved, restart the Fail2ban server:


fail2ban-server -x
fail2ban-client reload
fail2ban-client status

Which responds with the corresponding number of jails, which includes one called POP3.

Afterwards, I reloaded my iptables again:

service iptables restart

Then to view the iptables: iptables -nL
Stay tuned this weekend to see if this new config pays off.