fail2ban setup centos 7 not picking auth fail?

Voytek Eymont voytek at sbt.net.au
Fri May 22 03:38:36 EEST 2020 

I'm trying to set up fail2ban with dovecot, I have it working on 'old'
server Centos 6, but, not getting anywhere with 'new' server on Centos 7
using standard filters

I've copied same 'filter' to new server, still get nothing
any idea how to figure this out ?

on old server, it logs to syslog/messages
CentOS release 6.10 (Final) dovecot 2.3.10.1 (a3d0e1171)

old # fail2ban-client status dovecot
Status for the jail: dovecot
|- Filter
|  |- Currently failed: 2
|  |- Total failed:     168
|  `- File list:        /var/log/dovecot.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     32
   `- Banned IP list:

on new server CentOS Linux release 7.8.2003 dovecot 2.3.10.1 (a3d0e1171)
nothing shows up in fail2ban log (ssh, postfix does, only no dovecot)
I've copied the actual /etc/fail2ban/filter.d/dovecot.conf from old
server, still nothing
not sure where/how to look
is there a standard/approved doveot filter..?

cat jail.local
...
[dovecot]
enabled  = true
filter   = dovecot
logpath  = /var/log/dovecot.log
maxretry = 3
ignoreip = 127.0.0.1 127.0.0.0/8
...


#  fail2ban-client status dovecot
Status for the jail: dovecot
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:  _SYSTEMD_UNIT=dovecot.service
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

# grep 'auth failed' /var/log/dovecot.log | wc
   7669  149916 1558909

# cat dovecot.conf

# Fail2Ban filter Dovecot authentication and pop3/imap server
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (auth|dovecot(-auth)?|auth-worker)

failregex =
^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S*
rhost=<HOST>(?:\s+user=\S*)?\s*$
            ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted
login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+
attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+
auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:,
lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed:
error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown
protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
            ^%(__prefix_line)s(?:Info|dovecot:
auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\):
pam_authenticate\(\) failed: (User not known to the underlying
authentication module: \d+ Time\(s\)|Authentication failure
\(password mismatch\?\))\s*$
            ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)):
(?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
            ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info:
ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$

ignoreregex =

[Init]

journalmatch = _SYSTEMD_UNIT=dovecot.service

# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly (resolved in
edit 21/03/2016)
# * Removed the 'no auth attempts' log lines from the matches because
produces
#    lots of false positives on misconfigured MTAs making regexp unusable
#
# Author: Martin Waschbuesch
#         Daniel Black (rewrote with begin and end anchors)
#         Martin O'Neal (added LDAP authentication failure regex)
#         Sergey G. Brester aka sebres (reviewed, optimized,
IPv6-compatibility)

More information about the dovecot mailing list