[Suggestion] dovecot fail2ban jail

[jb2170]

Hey Luke,
fail2ban works great for ssh(d), (also PasswordAuthentication no in /etc/ssh/sshd_config helps), but what about dovecot?
When I open /var/log/auth.log I see tooones of entries like
Apr 30 17:57:14 SAO auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=summerschool rhost=212.70.149.72
because we use password authentication to access our mail. A custom fail2ban jail may be useful. I'll have a look.

[jb2170]

Okay so the /etc/fail2ban/filter.d/dovecot.conf filter works when one changes the following in /etc/fail2ban/jail.local:

Under [dovecot]

• add enabled = true
• change logpath to logpath = /var/log/auth.log (beforehand it was incorrectly using /var/log/mail.log via %(dovecot_log)s)

Then # systemctl restart fail2ban, cool! One can see the jail in action with # fail2ban-client status dovecot

[jb2170]

Actually this seems useful enough / security-wise-important-enough that it could be a PR (reopening issue for now); the script could install fail2ban and make the corresponding couple of changes under the [dovecot] section of /etc/fail2ban/jail.local
It'd probably be a couple of sed ///a-like commands but I'm not a sed expert lol

[LukeSmithxyz]

Yeah this might be worth adding since it is common enough. I'll look into it.

[LukeSmithxyz]

Adding a todo with this on the README for now. I'll get to it when I get the chance. Doesn't seem to hard to add.