I just got a barrage of pop3-login attacks on one of my servers. I was surprised that fail2ban wasn't stopping them, then I realized that the service is listening on multiple IP addresses, and the attacker was spraying over all of them. Fail2ban only blocked my first IP.
fail2ban has a myip=x.y.z.a setting, but it doesn't seem to take multiple values. Is there a way to set this up?
D'oh! bad assumption on my part. I had a close look. fail2ban doesn't block on the local IP, it's blocking the source properly. It is not necessary to configure multiple IP addresses.
The issue seems to be that they were doing dozens of attempts per second.
2012-07-26 10:41:25,771 fail2ban.actions: WARNING [dovecot-pop3imap] Ban 74.63.241.177
2012-07-26 10:41:27,825 fail2ban.actions: WARNING [dovecot-pop3imap] 74.63.241.177 already banned
2012-07-26 10:41:28,827 fail2ban.actions: WARNING [dovecot-pop3imap] 74.63.241.177 already banned
2012-07-26 10:41:30,829 fail2ban.actions: WARNING [dovecot-pop3imap] 74.63.241.177 already banned
It was enough to ramp up the process count before fail2ban could respond. The volume of the attack and the spread over multiple IPs caught me off guard.
