As subject,
this night my VPS was attacked for two hours.

My log is exploding, millions of auth fail from dovecot.
They tryed thousands of username with dozens of password for each username.
Fortunantly my server is up and running and all requests was denied.

Just to share my bad experience and to know if you noticed similar things this days.

Fail2ban will take care of this for you:

http://www.fail2ban.org/wiki/index.php/Main_Page
http://wiki.dovecot.org/HowTo/Fail2Ban

thanks for your reply, I have always avoided fail2ban since
it seems a "quite dead" peoject, no update, no development on it.

Do you think that it is good to install it?

Honestly it does what it needs to do... As long as there aren't security holes, it's doing the job. Why fix something that isn't broken.

Fail2ban works well, and I'd recommend it... at least until an alternative comes along

It's funny that you should say that. The last update to it in Debian closes a remote DoS security hole in it.

I run it anyway, it's good for what it's intended to do.

This is what I mean...
Ok I will use it.

I configured it ok for SSH.
but now I want to configure it also for phpmyadmin and dovecot.

I cant find the correct regexp/filter that catch problem on CentOS 5.5...
The link posted initially doesn't work for my dovecot configuration (dovecot 1.0.7)...
I can't find anything working also for phpmyadmin...

First of all, don't panic. Millions of failed auth tries isn't a big deal, it just costs you a tiny bit of bandwith (probably not more than ~100MB in all), and it's very unlikely that they'll compromise the system if you have sane password policies in the first place.

Ok ok, my system is up and running no problem and no panic but I don't want to get another attack and reply on every attack.
fail2ban seems to be a reasonable choice.

In the meantime I solved for SSH and dovecot with correct regexp,
now I need to find something to protect phpmyadmin from login repeated login attemp...

thanks for your help

How can I create a regexp to ban IP from this ssl_access_log

IP_ADDRESS - invalidusername [19/Jul/2010:18:28:55 +0200] "GET /phpmyadmin/ HTTP/1.1" 401 885

I have just configured fail2ban for:
dovecot
postfix
ssh
apache
php injection
squirrelmail

now I don't understand how to generate a correct reg exp for the phpmyadmin invalid login

Maybe CAREFULLY edit phpmyadmin's code to issue an error_log('PMA: Login refused!') call where appropriate, and tell fail2ban to look for that string in your webserver's error log*?

* You DO have display_errors = Off and log_errors = On in php.ini, right?

All is ok, phpmyadmin launch access denied on wrong user/pass but I need to configure fail2ban to ban that IPs.

phpmyadmin puts this string on ssl_access_log
when someone enter a wrong combination of user/pass

IP_ADDRESS - invalidusername [19/Jul/2010:18:28:55 +0200] "GET /phpmyadmin/ HTTP/1.1" 401 885

but actually I haven't found a regexp for fail2ban that catch this string and ban the IP.

can't understand why this regexp doesn't work:
/<HOST> -.*"GET \/phpmyadmin\/ HTTP\/1\.1" 401 885/

Have you read fail2ban's documentation (and the stuff that came with your OS). What part about the docs that say how to add new regex matching rules don't you understand?

It's been a while but I found it easy to tweak them when I needed to.

same here, easy for other than this.
Can't understand why the regexp I posted don't catch that lines.

I'm also trying with
fail2ban-regex '1.2.3.4 - invalidusername [19/Jul/2010:18:28:55 +0200] "GET /phpmyadmin/ HTTP/1.1" 401 885' '<HOST> -.*"GET \/phpmyadmin\/ HTTP.*" 401 885'

this commands returna the correct matching, but it doesn't ban IP address who makes incorrect login o_O