This article outlines the process of configuring Fail2Ban to secure a Plesk server running Courier-IMAP as its IMAP and POP3 server against brute forcing.

Prerequisite: This article expects that you have already completed the installation of Fail2Ban.

Once you have completed the installation of Fail2Ban

1. Edit /etc/fail2ban/filter.d/courierlogin.conf

vi /etc/fail2ban/filter.d/courierlogin.conf

And change:

LOGIN FAILED, .*, ip=\[\]$

to:

LOGIN FAILED, ip=\[\]$

2. Add the following configuration to /etc/fail2ban/jail.conf:

[courierimap-iptables]
enabled = true
filter = courierlogin
action = iptables-multiport[name=IMAP, port="110,995,143,993"]
sendmail-whois[name=IMAP, dest=
 Ova e-mail adresa je zaštićena od spam robota, nije vidljiva ako ste isključili JavaScript
 , sender=
 Ova e-mail adresa je zaštićena od spam robota, nije vidljiva ako ste isključili JavaScript
 ]
logpath = /usr/local/psa/var/log/maillog
maxretry = 5

Note: port= needs to include any ports which you are running POP3 or IMAP dameons on. The defaults are POP3 ports 110 (non-secure) and 995 (secure) and IMAP ports 143 (non-secure) and 993 (secure. Be sure to change the dest= and sender= variables as well.

Note: /usr/local/psa/var/log/maillog is the default mail log location for Plesk 8.x, 9.x and Plesk 10.x servers.

3. Restart fail2ban:

/etc/init.d/fail2ban restart

Your server is now protected against brute force attempts against your email service ports. Any remote host which fails to login more than 5 times will be automatically blocked.

WARNING: Please make sure you have 127.0.0.1 listed in your ignore list

in /etc/fail2ban/jail.conf, e.g.

ignoreip = 127.0.0.1