[SMS]

[gerasimos_h]

OK! I also add lines for pam and ldap in your dovecot-attacks.conf

[keopp]

Ok then.
I'll post every new rule.

By the the way, do you think that shorter rules can increase performance?

[gerasimos_h]

Either creating a new rule or searching more queries on one rule I believe it's the same.
I haven't test findtime though since searching more queries might increase
find time.
But in some cases needs to divide them for instance

\[<HOST>\].*authentication failed

is found at /var/log/maillog but

\(auth failed.*rip=<HOST>
auth\(default\): Info: ldap\(.*,<HOST>\): unknown user
auth\(default\): Info: ldap\(.*,<HOST>\): Password mismatch

is found at /var/log/dovecot-info.log

Another way is to set
logpath =
so dovecot logs to /var/log/maillog
although some info is logged in /var/log/maillog either way.

gerasimos_h

[keopp]

Yes, you are right about logging everything in maiilog. This is my option and I log also clamd/freshclam and mailscanner logs in maillog. This way is easyer for me to follow a message having all it's route in one file.
Of course considerations can be made here about the resulting maillog size, especially when there are a big number of clients involved(or rised verbosity).
Also is better for fail2ban having less log files to watch over.

As far as I know, each line in <failregex> is tested against the logfile and whenever a match is met, it triggers the action. In my question about performance I meant if you think that lets say:

[keopp]

I found a very interesting long thread here.
The essence of this is below:

[gerasimos_h]

MailScanner logs by default in /var/log/maillog and can cause quite a problem if something wrong happens and could take over you space quite fast.

Well as for shorter rule, theoretically, the more accurate the rule is, the faster will respond.
But in action, shorting the rule it's better as long as it's still accurate and output the same results.

So

[keopp]

Thanks very much. It confirms my assumptions. How could you measure the responding time. THIS I find very interesting.....

[gerasimos_h]

I measure with "time"

[gerasimos_h]

Well after doing some test I found that, splitting logs is faster, because when you are searching /var/log/maillog takes twice the time since it's almost double in size too, comparing to dovecot-info.log

So in conclusions we need shorter rules with same accuracy, and having to look at different logs it's not a bad thing after all, we just have to load more filters at start.

gerasimos_h

[gerasimos_h]

After testing and testing I ended up with the following rules.
dovecot-imap.conf looking at /var/log/dovecot-info.log

[keopp]

There are indeed some comments I belive there have to be made.
First of all, the purpose of those rules are to prevent two type of events: brute-force attacks and some kind of ddos attacks(even rejected by rbl checks or sqlgrey). To achieve this, it is enough to have a recurring(let me call it) <marker> and a related <HOST> to be banned a proper amount of time. And of course we want this to be done with minimum effort from "The Machine". Considering all above, I really appreciate the actual rules, very smart to match nearly an entire log line, but I belive they are too accurate for our needs.
So, I belive that:

[gerasimos_h]

Shorting too match can cause high loads, for instance

[keopp]

I totally agree with you and it will be allways a pleasure to post here.

[gerasimos_h]

A little update, this long rule covers the loss of time (takes half the time) and it's accurate enough