This article outlines the process of configuring Fail2Ban to secure a Plesk server running Courier-IMAP as its IMAP and POP3 server against brute forcing.
Prerequisite: This article expects that you have already completed the installation of Fail2Ban as outlined here.
Once you have completed the installation of Fail2Ban –
1. Edit /etc/fail2ban/filter.d/courierlogin.conf using nano.
nano -w /etc/fail2ban/filter.d/courierlogin.conf
And change: “LOGIN FAILED, .*, ip=\[< HOST >\]$”
To: “LOGIN FAILED, ip=\[< HOST >\]$”
2. Add the following configuration to /etc/fail2ban/jail.conf:
enabled = true filter = courierlogin
action = iptables-multiport[name=IMAP, port=”110,995,143,993″]
sendmail-whois[name=IMAP, [email protected], [email protected]]
logpath = /usr/local/psa/var/log/maillog
maxretry = 5
Note: port= needs to include any ports which you are running POP3 or IMAP dameons on. The defaults are POP3 ports 110 (non-secure) and 995 (secure) and IMAP ports 143 (non-secure) and 993 (secure. Be sure to change the dest= and sender= variables as well.
Note: /usr/local/psa/var/log/maillog is the default mail log location for Plesk 8.x and Plesk 9.x servers.
3. Restart fail2ban:
Your server is now protected against brute force attempts against your email service ports. Any remote host which fails to login more than 5 times will be automatically blocked.
WARNING: Please make sure you have 127.0.0.1 listed in your ignore list in /etc/fail2ban/jail.conf, e.g. ignoreip = 127.0.0.1,.