This script enhances Dovecot email server security by automatically banning IP addresses that attempt to access multiple domains with failed login attempts. It analyzes Dovecot logs, applies country-specific thresholds using GeoIP data, and integrates with fail2ban to block potential brute-force attacks across multiple domains.
- Multi-domain login attempt analysis
- GeoIP-based country-specific thresholds
- fail2ban integration for IP banning
- Efficient log processing with rotation handling
- Whitelist support for trusted IPs
- AWK (pre-installed on most Unix-like systems)
- fail2ban
- GeoIP database and mmdblookup
- CRON (for scheduled execution)
- Install packages (examples based on Debian or Debian related distros)
sudo apt-get update
sudo apt-get install fail2ban
- Configure fail2ban:
Create
/etc/fail2ban/filter.d/empty.conf:
[Definition]
failregex =
ignoreregex =
Create /etc/fail2ban/jail.d/dovecot-multidomain.conf:
[dovecot-multidomain]
enabled = true
port = 110,143,993,995
filter = empty
logpath = /dev/null
maxretry = 0
findtime = 86400
bantime = 86400
- Restart fail2ban:
sudo systemctl restart fail2ban
- Create
/etc/logrotate.d/dovecot.conf:
/var/log/dovecot*.log {
rotate 6
monthly
missingok
notifempty
compress
sharedscripts
delaycompress
postrotate
doveadm log reopen
endscript
}
Enter crontab as root or the user you want to have the job executed as:
root: sudo crontab -e
user: sudo -u username crontab -e
*/5 * * * * /path/to/dovecot-multidomain-ip-ban
- Install required packages:
sudo apt-get update
sudo apt-get install mmdb-bin geoipupdate
- Configure GeoIP update:
Edit /etc/GeoIP.conf and add your MaxMind account ID and license key:
AccountID YOUR_ACCOUNT_ID
LicenseKey YOUR_LICENSE_KEY
EditionIDs GeoLite2-Country GeoLite2-City
- Perform initial GeoIP database update:
sudo geoipupdate
- Set up a cron job for weekly updates:
This is usually handled automatically by your distro. You can check the /etc/cron.d directory for a file called geoipupdate or search your CRON files for a geoipupdate entry. Anyway in most cases you won't need to do the next step
Edit Crontab
sudo crontab -e
47 3 * * * root test -x /usr/bin/geoipupdate && /usr/bin/geoipupdate
Adjust the following variables in the script as needed:
DOVECOT_LOG: Path to your Dovecot log fileBAN_LOG: Path for the ban logAMOUNTOFHOURSTOCHECK: Number of hours to look back for failed loginsHIGH_THRESHOLD_COUNTRIES: Countries with a higher banning thresholdLOW_THRESHOLD: Minimum number of domains for most countriesHIGH_THRESHOLD: Minimum number of domains for high-threshold countriesWHITELIST: IPs that should never be banned
- The script analyzes Dovecot logs for failed login attempts.
- It identifies IPs attempting to access multiple domains.
- GeoIP data is used to apply country-specific thresholds.
- IPs exceeding the threshold are banned using fail2ban.
- The process is logged for monitoring and analysis.
This script provides a powerful, customizable solution for protecting Dovecot email servers from brute-force attacks across multiple domains. By leveraging GeoIP data and fail2ban integration, it offers an additional layer of security beyond standard authentication measures.
This script is provided as-is, without any warranty or guarantee. Users should understand that they are using this script at their own risk. The authors do not take any responsibilities or liabilities for any data loss, system damage, or other issues that may arise from the use of this script. It is strongly recommended to thoroughly test the script in a non-production environment before using it on critical systems. Always ensure you have multiple backups of your important data using various methods.
For a detailed explanation and discussion, please visit our blog post: Dovecot Defender: Multi-Domain IP Banning