Brute force attack on Dovecot not detected

[vendsmart]

Our server has been grinding to a halt because of brute force login attempts on POP3 and CSF isn't detecting it.

Example of mail log:

May 1 03:49:17 vendsmart dovecot: auth(default): pam(alex,::ffff:205.217.244.10): PAM child process 7194 timed out, killing it
May 1 03:49:17 vendsmart dovecot: auth(default): pam(customer,::ffff:205.217.244.10): PAM child process 7205 timed out, killing it
May 1 03:49:17 vendsmart dovecot: auth(default): pam(accounts,::ffff:205.217.244.10): PAM child process 6014 timed out, killing it
May 1 03:49:17 vendsmart dovecot: auth(default): pam(adm,::ffff:205.217.244.10): PAM child process 6015 timed out, killing it
May 1 03:49:17 vendsmart dovecot: auth(default): pam(access,::ffff:205.217.244.10): PAM child process 5974 timed out, killing it
May 1 03:49:17 vendsmart dovecot: auth(default): pam(account,::ffff:205.217.244.10): PAM child process 5977 timed out, killing it
May 1 03:49:17 vendsmart dovecot: auth(default): pam(agent,::ffff:205.217.244.10): PAM child process 7193 timed out, killing it
May 1 03:49:17 vendsmart dovecot: auth(default): pam(alex,::ffff:205.217.244.10): PAM child process 7194 timed out, killing it
May 1 03:49:17 vendsmart dovecot: auth(default): pam(mail,::ffff:205.217.244.10): PAM child process 7304 timed out, killing it

[chirpy]

That's not a log line that lfd matches in regex.pm. If you want to trap those lines you will need to write your own regex using regex.custom.pm

[hauferman]

Can anyone put some example of that? Sorry, not mean to hijack this thread, since the problem we have is same, so I write this here since the regex is not my expertise ^^ TIA.

[DaNgErOuS]

I know this is an old thread, but I wanted to pass this along to anyone that needs help. If your log file for dovecot reads like this,

Feb 20 15:21:08 SERVERNAME dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=<NAME>, method=PLAIN, rip=IPADDRESS, lip=IPADDRESS

you can add the following to your regex.custom.pm:

#dovecot_rp
if (($config{LF_POP3D}) and ($lgfile eq $config{POP3D_LOG}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+.*dovecot(\[\d+\])?: pop3-login: (Aborted login|Disconnected)( \(auth failed, \d+ attempts in \d+ secs\):)? (user=(<\S*>)?, )?method=\S+, rip=(\S+), lip=.*/)) {
$ip = $7; $acc = $6; $ip =~ s/^::ffff://; $acc =~ s/^<|>$//g;
if (&checkip($ip)) {return ("Failed POP3 login from","$ip|$acc","pop3d")} else {return}
}
if (($config{LF_IMAPD}) and ($lgfile eq $config{IMAPD_LOG}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+.*dovecot(\[\d+\])?: imap-login: (Aborted login|Disconnected)( \(auth failed, \d+ attempts in \d+ secs\):)? (user=(<\S*>)?, )?method=\S+, rip=(\S+), lip=.*/)) {
$ip = $7; $acc = $6; $ip =~ s/^::ffff://; $acc =~ s/^<|>$//g;
if (&checkip($ip)) {return ("Failed IMAP login from","$ip|$acc","imapd")} else {return}
}

please check this regex .