ot: fail2ban dovecot setup
I'm trying to setup and test fail2ban with dovecot
I've installed fail2ban, I've copied config from https://wiki2.dovecot.org/HowTo/Fail2Ban, and, trying to test it,
attempted multiple mail access with wrong password, but, get this:
# fail2ban-client status dovecot-pop3imap
Status for the jail: dovecot-pop3imap
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - File list: /var/log/dovecot.log - Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
# grep 'auth fail' /var/log/dovecot.log | grep voytek@k | wc 19 367 3749
and
Dec 17 09:55:03 imap-login: Info: Disconnected (auth failed, 2 attempts in 5 secs): user=<voytek@k..au>, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session=<bQ6mAX1gHcRur/an> Dec 17 09:55:12 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=<voytek@k..au>, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session=<Osk5An1gAKVur/an> Dec 17 09:55:20 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=<voytek@k..au>, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session=<xsq/An1gDN1ur/an> Dec 17 09:55:27 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=<voytek@k..au>, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session=<RVUkA31gm4xur/an>
# cat dovecot-pop3imap.conf [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex =
# systemctl status fail2ban ● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2017-12-16 22:35:14 AEDT; 12h ago Docs: man:fail2ban(1) Process: 2034 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS) Process: 6024 ExecReload=/usr/bin/fail2ban-client reload (code=exited, status=0/SUCCESS) Process: 2036 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS) Main PID: 2039 (fail2ban-server) CGroup: /system.slice/fail2ban.service └─2039 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/ru...
Dec 16 22:35:14 systemd[1]: Starting Fail2Ban Service... Dec 16 22:35:14 fail2ban-client[2036]: 2017-12-16 22:35:14,657 fail2ban.server [2...9.7 Dec 16 22:35:14 fail2ban-client[2036]: 2017-12-16 22:35:14,657 fail2ban.server [2...ode Dec 16 22:35:14 systemd[1]: Started Fail2Ban Service. Dec 17 09:21:51 systemd[1]: Reloaded Fail2Ban Service. Dec 17 09:22:52 systemd[1]: Reloaded Fail2Ban Service. Dec 17 09:31:40 systemd[1]: Reloaded Fail2Ban Service. Hint: Some lines were ellipsized, use -l to show in full.
Am 17.12.2017 um 00:56 schrieb voytek@sbt.net.au:
I'm trying to setup and test fail2ban with dovecot
I've installed fail2ban, I've copied config from https://wiki2.dovecot.org/HowTo/Fail2Ban, and, trying to test it,
attempted multiple mail access with wrong password, but, get this:
# fail2ban-client status dovecot-pop3imap Status for the jail: dovecot-pop3imap |- Filter | |- Currently failed: 0 | |- Total failed: 0 |
- File list: /var/log/dovecot.log- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:# grep 'auth fail' /var/log/dovecot.log | grep voytek@k | wc 19 367 3749
and
Dec 17 09:55:03 imap-login: Info: Disconnected (auth failed, 2 attempts in 5 secs): user=<voytek@k..au>, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session=<bQ6mAX1gHcRur/an> Dec 17 09:55:12 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=<voytek@k..au>, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session=<Osk5An1gAKVur/an> Dec 17 09:55:20 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=<voytek@k..au>, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session=<xsq/An1gDN1ur/an> Dec 17 09:55:27 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=<voytek@k..au>, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session=<RVUkA31gm4xur/an>
# cat dovecot-pop3imap.conf [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex =
# systemctl status fail2ban ● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2017-12-16 22:35:14 AEDT; 12h ago Docs: man:fail2ban(1) Process: 2034 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS) Process: 6024 ExecReload=/usr/bin/fail2ban-client reload (code=exited, status=0/SUCCESS) Process: 2036 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS) Main PID: 2039 (fail2ban-server) CGroup: /system.slice/fail2ban.service └─2039 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/ru...
Dec 16 22:35:14 systemd[1]: Starting Fail2Ban Service... Dec 16 22:35:14 fail2ban-client[2036]: 2017-12-16 22:35:14,657 fail2ban.server [2...9.7 Dec 16 22:35:14 fail2ban-client[2036]: 2017-12-16 22:35:14,657 fail2ban.server [2...ode Dec 16 22:35:14 systemd[1]: Started Fail2Ban Service. Dec 17 09:21:51 systemd[1]: Reloaded Fail2Ban Service. Dec 17 09:22:52 systemd[1]: Reloaded Fail2Ban Service. Dec 17 09:31:40 systemd[1]: Reloaded Fail2Ban Service. Hint: Some lines were ellipsized, use -l to show in full.
Did you enable the dovecot service in fail2ban? By default all jails are disabled.
/etc/fail2ban/jail.conf: [dovecot] enabled = true
-- Alex JOST
On Mon, December 18, 2017 3:06 am, Alex JOST wrote:
Did you enable the dovecot service in fail2ban? By default all jails are disabled.
/etc/fail2ban/jail.conf: [dovecot] enabled = true
Alex, thanks
no, not in jail.conf, I've put it in the (1) /etc/fail2ban/jail.local
I've also added postfix, that seems to work:
I've made test failed dovecot and postfix from phone/cell connection, I think? postfix one worked, but, nothing registered on dovecot do you know where f2b places bad IPs ? I saw them listed on 'status;, but, couldn't find them in /etc/hosts.deny, not sure if they meant to be there. [and, the device, after failing smtp, could still access http, so not sure if my testing is valid]
# fail2ban-client status Status |- Number of jail: 2 `- Jail list: dovecot-pop3imap, postfx-sasl
# fail2ban-client status postfx-sasl
Status for the jail: postfx-sasl
|- Filter
| |- Currently failed: 0
| |- Total failed: 57
| - File list: /var/log/maillog - Actions
|- Currently banned: 1
|- Total banned: 7
`- Banned IP list: 201.249.46.118
# fail2ban-client status dovecot-pop3imap
Status for the jail: dovecot-pop3imap
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - File list: /var/log/dovecot.log - Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
(1) # cat jail.local [dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp] logpath = /var/log/dovecot.log maxretry = 5 findtime = 300 bantime = 3600 ignoreip = 127.0.0.1 127.0.0.0/8
[postfx-sasl] enabled = true filter = postfix-sasl action = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp] # sendmail[name=Postfix, dest=you@mail.com] logpath = /var/log/maillog bantime = 3600 maxretry = 5 ignoreip = 127.0.0.1 127.0.0.0/8
Am 17.12.2017 um 20:08 schrieb voytek@sbt.net.au:
I've made test failed dovecot and postfix from phone/cell connection, I think? postfix one worked, but, nothing registered on dovecot do you know where f2b places bad IPs ? I saw them listed on 'status;, but, couldn't find them in /etc/hosts.deny, not sure if they meant to be there. [and, the device, after failing smtp, could still access http, so not sure if my testing is valid]
We are using fail2ban with firewalld. In that case fail2ban creates 1 rule in the input_direct chain of iptables for each jail. You can use 'ipset list' to list all entries with their timeout.
-- Alex JOST
Copy dovecot-pop3imap.conf to dovecot-pop3imap.local. Edit dovecot-pop3imap.local and add to the failregex: dovecot:.+auth failed.+rip=<HOST>
Then run: fail2ban-regex /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot-pop3imap.local and see if you get any matches.
Bill
On 12/16/2017 6:56 PM, voytek@sbt.net.au wrote:
I'm trying to setup and test fail2ban with dovecot
I've installed fail2ban, I've copied config from https://wiki2.dovecot.org/HowTo/Fail2Ban, and, trying to test it,
attempted multiple mail access with wrong password, but, get this:
# fail2ban-client status dovecot-pop3imap Status for the jail: dovecot-pop3imap |- Filter | |- Currently failed: 0 | |- Total failed: 0 |
- File list: /var/log/dovecot.log- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:# grep 'auth fail' /var/log/dovecot.log | grep voytek@k | wc 19 367 3749
and
Dec 17 09:55:03 imap-login: Info: Disconnected (auth failed, 2 attempts in 5 secs): user=<voytek@k..au>, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session=<bQ6mAX1gHcRur/an> Dec 17 09:55:12 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=<voytek@k..au>, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session=<Osk5An1gAKVur/an> Dec 17 09:55:20 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=<voytek@k..au>, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session=<xsq/An1gDN1ur/an> Dec 17 09:55:27 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=<voytek@k..au>, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session=<RVUkA31gm4xur/an>
# cat dovecot-pop3imap.conf [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex =
# systemctl status fail2ban ● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2017-12-16 22:35:14 AEDT; 12h ago Docs: man:fail2ban(1) Process: 2034 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS) Process: 6024 ExecReload=/usr/bin/fail2ban-client reload (code=exited, status=0/SUCCESS) Process: 2036 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS) Main PID: 2039 (fail2ban-server) CGroup: /system.slice/fail2ban.service └─2039 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/ru...
Dec 16 22:35:14 systemd[1]: Starting Fail2Ban Service... Dec 16 22:35:14 fail2ban-client[2036]: 2017-12-16 22:35:14,657 fail2ban.server [2...9.7 Dec 16 22:35:14 fail2ban-client[2036]: 2017-12-16 22:35:14,657 fail2ban.server [2...ode Dec 16 22:35:14 systemd[1]: Started Fail2Ban Service. Dec 17 09:21:51 systemd[1]: Reloaded Fail2Ban Service. Dec 17 09:22:52 systemd[1]: Reloaded Fail2Ban Service. Dec 17 09:31:40 systemd[1]: Reloaded Fail2Ban Service. Hint: Some lines were ellipsized, use -l to show in full.
On Mon, December 18, 2017 9:40 am, Bill Shirley wrote:
Copy dovecot-pop3imap.conf to dovecot-pop3imap.local. Edit dovecot-pop3imap.local and add to the failregex: dovecot:.+auth failed.+rip=<HOST>
Then run: fail2ban-regex /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot-pop3imap.local and see if you get any matches.
Bill, thanks for trying to help, sorry for dumb question
shouldn't '.local' be in /etc/fail2ban/ rather than /etc/fail2ban/filter.d/ ?
I've copied it to /etc/fail2ban/, as that's where my other .local is ??
and, not sure where to add, tried 3 different places, including at the end, but, getting:
in /etc/fail2ban/ (before addition) # cat dovecot-pop3imap.local [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex =
# cat dovecot-pop3imap.local [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*,dovecot:.+auth failed.+rip=<HOST> ignoreregex =
# fail2ban-regex /var/log/dovecot.log /etc/fail2ban/dovecot-pop3imap.local
Running tests
Use failregex file : /etc/fail2ban/dovecot-pop3imap.local Traceback (most recent call last): File "/bin/fail2ban-regex", line 34, in <module> exec_command_line() File "/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 598, in exec_command_line if not fail2banRegex.start(opts, args): File "/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 501, in start if not self.readRegex(cmd_regex, 'fail'): File "/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 322, in readRegex 'add%sRegex' % regextype.title())(regex.getFailRegex()) File "/usr/lib/python2.7/site-packages/fail2ban/server/filter.py", line 113, in addFailRegex raise e fail2ban.server.failregex.RegexException: Unable to compile regular expression '(?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*,dovecot:.+auth failed.+rip=(?:::f{4,6}:)?(?P<host>[\w\-.^_]*\w)'
Have you tried just using the the filter dovecot.conf come with the fail2ban?
# cat /etc/fail2ban/filter.d/dovecot.conf
...... failregex = ^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$ ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( us$ ^%(__prefix_line)s(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authen$ ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$ ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$ ......
Gao
On 2017-12-16 15:56, voytek@sbt.net.au wrote:
I'm trying to setup and test fail2ban with dovecot
I've installed fail2ban, I've copied config from https://wiki2.dovecot.org/HowTo/Fail2Ban, and, trying to test it,
attempted multiple mail access with wrong password, but, get this:
# fail2ban-client status dovecot-pop3imap Status for the jail: dovecot-pop3imap |- Filter | |- Currently failed: 0 | |- Total failed: 0 |
- File list: /var/log/dovecot.log- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:# grep 'auth fail' /var/log/dovecot.log | grep voytek@k | wc 19 367 3749
and
Dec 17 09:55:03 imap-login: Info: Disconnected (auth failed, 2 attempts in 5 secs): user=<voytek@k..au>, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session=<bQ6mAX1gHcRur/an> Dec 17 09:55:12 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=<voytek@k..au>, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session=<Osk5An1gAKVur/an> Dec 17 09:55:20 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=<voytek@k..au>, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session=<xsq/An1gDN1ur/an> Dec 17 09:55:27 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=<voytek@k..au>, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session=<RVUkA31gm4xur/an>
# cat dovecot-pop3imap.conf [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex =
# systemctl status fail2ban ● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2017-12-16 22:35:14 AEDT; 12h ago Docs: man:fail2ban(1) Process: 2034 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS) Process: 6024 ExecReload=/usr/bin/fail2ban-client reload (code=exited, status=0/SUCCESS) Process: 2036 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS) Main PID: 2039 (fail2ban-server) CGroup: /system.slice/fail2ban.service └─2039 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/ru...
Dec 16 22:35:14 systemd[1]: Starting Fail2Ban Service... Dec 16 22:35:14 fail2ban-client[2036]: 2017-12-16 22:35:14,657 fail2ban.server [2...9.7 Dec 16 22:35:14 fail2ban-client[2036]: 2017-12-16 22:35:14,657 fail2ban.server [2...ode Dec 16 22:35:14 systemd[1]: Started Fail2Ban Service. Dec 17 09:21:51 systemd[1]: Reloaded Fail2Ban Service. Dec 17 09:22:52 systemd[1]: Reloaded Fail2Ban Service. Dec 17 09:31:40 systemd[1]: Reloaded Fail2Ban Service. Hint: Some lines were ellipsized, use -l to show in full.
On Mon, December 18, 2017 12:50 pm, Gao wrote:
Have you tried just using the the filter dovecot.conf come with the fail2ban?
# cat /etc/fail2ban/filter.d/dovecot.conf
Gao, thanks
so do I just put enable in /etc/fail2ban/jail.local ?
# cat jail.local [dovecot] enabled = true filter = dovecot
]# fail2ban-client status dovecot
Status for the jail: dovecot
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - Journal matches: _SYSTEMD_UNIT=dovecot.service - Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
(sorry, I'm structure what I had on old server, it seems to work with smtp auth, so I thought that's correct way to do)
# fail2ban-client status Status |- Number of jail: 2 `- Jail list: dovecot, postfx-sasl
fail2ban-client status postfx-sasl
Status for the jail: postfx-sasl
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - File list: /var/log/maillog - Actions
|- Currently banned: 2
|- Total banned: 2
`- Banned IP list: 120.150.227.127 125.126.168.42
thanks for all the help, I went back to the old server's config, and, it worked as is, so that will do for now:
# fail2ban-client status dovecot-iredmail
Status for the jail: dovecot-iredmail
|- Filter
| |- Currently failed: 0
| |- Total failed: 5
| - File list: /var/log/dovecot.log - Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 1.144.106.60
#
Chain f2b-dovecot (1 references) target prot opt source destination REJECT all -- 1.144.106.60 anywhere reject-with icmp-port-unreachable RETURN all -- anywhere anywhere
participants (4)
-
Alex JOST
-
Bill Shirley
-
Gao
-
voytek@sbt.net.au