HomeForumsBlockHosts

Blockhost doesnt detect dovecot bad login in centos 5

Tue, 2008–Jun–24

Log:

Jun 24 18:41:41 dedibox dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:220.130.225.81, lip=::ffff:88.191.11.13

i imagine i need change the regx, but i dunno how.

rip=ffff:ip has the intruder

lip=ffff: has the server side

thans alot for all

‹ blockhosts.py in /etc/hosts.allow fails to run in Fedora 9 with Selinux enforcing Blockhosts gone mad, blocking a host on first connect ›
Tue, 2008-06-24 13:54 — Anonymous (not verified)

try this

Not tested, but if you know how to edit the blockhosts.cfg file, run in debug mode to test, etc, try this:

    "dovecot-LoginFailRip":
        r'{LOG_PREFIX{dovecot}} pop3-login: Aborted login: .* rip={HOST_IP}',

But - make sure the standard dovecot line is not in the log, which would make the above regex unnecessary. Also - by default, blockhosts does not block dovecot, so it requires the ENABLE_RULES in blockhosts.cfg or the --enable-rules command line option.

Tue, 2008-06-24 14:36 — Anonymous (not verified)

I can confirm Works fine,

I can confirm Works fine, thanks