Re: ot: fail2ban dovecot setup

Copy dovecot-pop3imap.conf to dovecot-pop3imap.local.  Edit dovecot-pop3imap.local and add to the failregex: dovecot:.+auth failed.+rip=<HOST>

Then run: fail2ban-regex /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot-pop3imap.local and see if you get any matches.

Bill

On 12/16/2017 6:56 PM, voytek@sbt.net.au wrote:

I'm trying to setup and test fail2ban with dovecot

I've installed fail2ban, I've copied config from https://wiki2.dovecot.org/HowTo/Fail2Ban, and, trying to test it,

attempted multiple mail access with wrong password, but, get this:

# fail2ban-client status dovecot-pop3imap Status for the jail: dovecot-pop3imap |- Filter | |- Currently failed: 0 | |- Total failed: 0 | - File list: /var/log/dovecot.log - Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:

# grep 'auth fail' /var/log/dovecot.log | grep voytek@k | wc 19 367 3749

and

Dec 17 09:55:03 imap-login: Info: Disconnected (auth failed, 2 attempts in 5 secs): user=, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session= Dec 17 09:55:12 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session= Dec 17 09:55:20 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session= Dec 17 09:55:27 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session=

# cat dovecot-pop3imap.conf [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex =

# systemctl status fail2ban ● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2017-12-16 22:35:14 AEDT; 12h ago Docs: man:fail2ban(1) Process: 2034 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS) Process: 6024 ExecReload=/usr/bin/fail2ban-client reload (code=exited, status=0/SUCCESS) Process: 2036 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS) Main PID: 2039 (fail2ban-server) CGroup: /system.slice/fail2ban.service └─2039 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/ru...

Dec 16 22:35:14 systemd[1]: Starting Fail2Ban Service... Dec 16 22:35:14 fail2ban-client[2036]: 2017-12-16 22:35:14,657 fail2ban.server [2...9.7 Dec 16 22:35:14 fail2ban-client[2036]: 2017-12-16 22:35:14,657 fail2ban.server [2...ode Dec 16 22:35:14 systemd[1]: Started Fail2Ban Service. Dec 17 09:21:51 systemd[1]: Reloaded Fail2Ban Service. Dec 17 09:22:52 systemd[1]: Reloaded Fail2Ban Service. Dec 17 09:31:40 systemd[1]: Reloaded Fail2Ban Service. Hint: Some lines were ellipsized, use -l to show in full.