I'm using csf and noticed a lot of brute force password attempts into a particular pop3 account. csf does not appear to be blocking the IP addresses as it does with other processes. Is there a switch or config option that someone can point me to that instructs csf to block all failed dovecot login attempts?
Have a look at the "SECTION:Login Failure Blocking and Alerts" and set the whished settings.
More specific,
LF_POP3D
andLF_IMAPD
for the amount of attempts before its blocking the IP address.Furthermore you need to check if the log paths are set correctly.
Go way back down into the config, and see that these settings are correct:
For me both are
/var/log/mail.log
, but check your system.In the file
csf/regex.pm
you can see which attempts are being filtered.