Resolved does fail2ban for webmail bring added value?

[Linulex]

Fail2ban takes cpu cycles that websites can't use, so there is no point in having unneeded fail2ban jails.
This made we wonder:

is there a point to fail2ban-roundcube and fail2ban-horde? we also use mod_evasive.

As i see it:
- scripts that try to "guess" passwords will be banned by the imap jail
- scripts that try and try will be stopped by mod_evasive

fail2ban-webmail stops it earlier then imap, that is true.
But it also prevents legitimate users that made a mistake from reaching there website, and it doesn't close the imap port.

Or am i missing something?

regards
Jan

 

[scsa20]

It really all depends on what your needs are. I have it enabled but I don't have much email user traffic since most of my emails is handled differently. All point of the jails is to prevent someone from trying to use brute force methods of trying to log in. Fail2Ban looks at the logs to see the number of tries and will automatically temp ban or even perma ban based off of the settings you've set. If you think 5 tries (which is default) is too little, feel free to edit the rule to make it bigger, if you think 5 tries is too much, feel free to make it smaller. If you don't think it's needed, feel free to turn off that jail.

In terms of blocking the IMAP port, that's not what it does, it just bans the IP by blocking that IP from accessing whatever the port is for the web mail service of choice. If you don't want anyone to access the IMAP port then you will need to block it through the firewall.

 

[Linulex]

I know how fail2ban works. And i found the answer myself:

Yes they are needed. imap registers these logins as coming from [::1] (localhost), and localhost is whitelisted so hackers/scriptkiddies/password guessers that try via a webmail will never get banned.

regards
Jan