On 6/16/23 10:53, pedro@netsecpt.pt wrote:
Hi , i am having an issue with dovecot , in log files of imap inactivity lines have the word included "auth failed" , witch is not true , what happens next is that fail2ban is looking for that word too in log file of dovecot ,and when it finds it it bans my public ip address . Is there any change to change this behavior in dovecot , what i mean is to insert "auth failed" when in fact it is an authentication failed , and not use it as general for every thing in log file .
Interesting. It does look like maybe dovecot is reporting "auth failed" on inactivity even if the auth actually succeeded. I am on Dovecot 2.3.20 from the dovecot APT repo for Ubuntu.
I don't see this for my mail account, because my mail clients are never inactive for 3 minutes. But I do see it for another account on my mail server. I will need to ask that user if it is possible they are actually sending an incorrect password, but I think that is unlikely. The log entries are not frequent and it looks like there are only ever two such failures close enough together for fail2ban to notice, so the source address is not being banned because my fail2ban config requires five failures within 20 minutes before it takes action.
What is the findtime and maxretry in your fail2ban jail config for dovecot? Maybe the time span is too large or the retry value too low.
I think you should have fail2ban ignore your public IP which would solve the problem for your IP address. Below is the contents of /etc/fail2ban/jail.d/zz-custom.conf on my mail server. I have not changed any of the conf files in /etc/fail2ban itself, I have only added a config file to jail.d.
The public /24 ranges in the ignoreip setting are in there for qualys labs SSL tests. Without them, their test IP address gets banned because their tests generate a ton of failures in the haproxy log. Also included is the AWS private IP address of the mail server, and the AWS public IP address.
elyograg@bilbo:/etc/fail2ban/jail.d$ cat zz-custom.conf [INCLUDES] before = common.conf
[DEFAULT] maxretry = 5 bantime = 8h findtime = 20m ignoreself = true ignoreip = 127.0.0.1/8 ::1 192.168.217.0/24 REDACTED1 172.31.8.104 REDACTED2 REDACTED3 64.41.200.0/24 54.67.1.252 64.77.246.0/24 banaction = %(banaction_allports)s protocol = all
[sshd] enabled = true port = 0:65535
[dovecot] enabled = true port = 0:65535
[sieve] enabled = true port = 0:65535
[postfix] enabled = true findtime = 30m bantime = 8h port = 0:65535
[postfix-rbl] enabled = true findtime = 30m bantime = 8h port = 0:65535
[postfix-sasl] enabled = true findtime = 30m bantime = 8h port = 0:65535
[haproxy-http-auth] enabled = true logpath = /var/log/debug-haproxy port = 0:65535
[haproxy-custom] enabled = true findtime = 30m logpath = /var/log/debug-haproxy maxretry = 10 port = 0:65535