From 46f64e0e0a139a459a353cfac8a4a00ee262e2a3 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sat, 31 Aug 2019 09:04:17 -0400 Subject: [PATCH] fail2ban should watch for managesieve logins too, fixes #1622 --- CHANGELOG.md | 3 ++- conf/fail2ban/filter.d/dovecotimap.conf | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2954bfc4..1d88f49c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,9 +4,10 @@ CHANGELOG In Development -------------- -Security fix: +Security fixes: * A security issue was discovered in rsync backups. If you have enabled rsync backups, the file `id_rsa_miab` may have been copied to your backup destination. This file can be used to access your backup destination. If the file was copied to your backup destination, we recommend that you delete the file on your backup destination, delete `/root/.ssh/id_rsa_miab` on your Mail-in-a-Box, then re-run Mail-in-a-Box setup, and re-configure your SSH public key at your backup destination according to the instructions in the Mail-in-a-Box control panel. +* Brute force attack prevention was missing for the managesieve service. Setup: diff --git a/conf/fail2ban/filter.d/dovecotimap.conf b/conf/fail2ban/filter.d/dovecotimap.conf index 64b8d944..40fa87a4 100644 --- a/conf/fail2ban/filter.d/dovecotimap.conf +++ b/conf/fail2ban/filter.d/dovecotimap.conf @@ -1,4 +1,4 @@ -# Fail2Ban filter Dovecot authentication and pop3/imap server +# Fail2Ban filter Dovecot authentication and pop3/imap/managesieve server # For Mail-in-a-Box [INCLUDES] @@ -9,7 +9,7 @@ before = common.conf _daemon = (auth|dovecot(-auth)?|auth-worker) -failregex = ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?(, session=<\S+>)?\s*$ +failregex = ^%(__prefix_line)s(pop3|imap|managesieve)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?(, session=<\S+>)?\s*$ ignoreregex =