ot: fail2ban dovecot setup

older
Shared mailboxes ACL's in MySQL,...

voytek＠sbt.net.au

17 Dec 2017 17 Dec '17

1:56 a.m.

I'm trying to setup and test fail2ban with dovecot

I've installed fail2ban, I've copied config from https://wiki2.dovecot.org/HowTo/Fail2Ban, and, trying to test it,

attempted multiple mail access with wrong password, but, get this:

# grep 'auth fail' /var/log/dovecot.log | grep voytek@k | wc 19 367 3749

and

Dec 17 09:55:03 imap-login: Info: Disconnected (auth failed, 2 attempts in 5 secs): user=, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session= Dec 17 09:55:12 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session= Dec 17 09:55:20 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session= Dec 17 09:55:27 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session=

# cat dovecot-pop3imap.conf [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex =

# systemctl status fail2ban ● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2017-12-16 22:35:14 AEDT; 12h ago Docs: man:fail2ban(1) Process: 2034 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS) Process: 6024 ExecReload=/usr/bin/fail2ban-client reload (code=exited, status=0/SUCCESS) Process: 2036 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS) Main PID: 2039 (fail2ban-server) CGroup: /system.slice/fail2ban.service └─2039 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/ru...

Dec 16 22:35:14 systemd[1]: Starting Fail2Ban Service... Dec 16 22:35:14 fail2ban-client[2036]: 2017-12-16 22:35:14,657 fail2ban.server [2...9.7 Dec 16 22:35:14 fail2ban-client[2036]: 2017-12-16 22:35:14,657 fail2ban.server [2...ode Dec 16 22:35:14 systemd[1]: Started Fail2Ban Service. Dec 17 09:21:51 systemd[1]: Reloaded Fail2Ban Service. Dec 17 09:22:52 systemd[1]: Reloaded Fail2Ban Service. Dec 17 09:31:40 systemd[1]: Reloaded Fail2Ban Service. Hint: Some lines were ellipsized, use -l to show in full.

Show replies by date

Alex JOST

17 Dec 17 Dec

6:06 p.m.

Am 17.12.2017 um 00:56 schrieb voytek@sbt.net.au:

...

I'm trying to setup and test fail2ban with dovecot

I've installed fail2ban, I've copied config from https://wiki2.dovecot.org/HowTo/Fail2Ban, and, trying to test it,

attempted multiple mail access with wrong password, but, get this:

# fail2ban-client status dovecot-pop3imap Status for the jail: dovecot-pop3imap |- Filter | |- Currently failed: 0 | |- Total failed: 0 | - File list: /var/log/dovecot.log - Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:

# grep 'auth fail' /var/log/dovecot.log | grep voytek@k | wc 19 367 3749

and

Dec 17 09:55:03 imap-login: Info: Disconnected (auth failed, 2 attempts in 5 secs): user=, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session= Dec 17 09:55:12 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session= Dec 17 09:55:20 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session= Dec 17 09:55:27 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session=

# cat dovecot-pop3imap.conf [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex =

# systemctl status fail2ban ● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2017-12-16 22:35:14 AEDT; 12h ago Docs: man:fail2ban(1) Process: 2034 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS) Process: 6024 ExecReload=/usr/bin/fail2ban-client reload (code=exited, status=0/SUCCESS) Process: 2036 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS) Main PID: 2039 (fail2ban-server) CGroup: /system.slice/fail2ban.service └─2039 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/ru...

Dec 16 22:35:14 systemd[1]: Starting Fail2Ban Service... Dec 16 22:35:14 fail2ban-client[2036]: 2017-12-16 22:35:14,657 fail2ban.server [2...9.7 Dec 16 22:35:14 fail2ban-client[2036]: 2017-12-16 22:35:14,657 fail2ban.server [2...ode Dec 16 22:35:14 systemd[1]: Started Fail2Ban Service. Dec 17 09:21:51 systemd[1]: Reloaded Fail2Ban Service. Dec 17 09:22:52 systemd[1]: Reloaded Fail2Ban Service. Dec 17 09:31:40 systemd[1]: Reloaded Fail2Ban Service. Hint: Some lines were ellipsized, use -l to show in full.

Did you enable the dovecot service in fail2ban? By default all jails are disabled.

/etc/fail2ban/jail.conf: [dovecot] enabled = true

-- Alex JOST

voytek＠sbt.net.au

9:08 p.m.

On Mon, December 18, 2017 3:06 am, Alex JOST wrote:

...

Did you enable the dovecot service in fail2ban? By default all jails are disabled.

/etc/fail2ban/jail.conf: [dovecot] enabled = true

Alex, thanks

no, not in jail.conf, I've put it in the (1) /etc/fail2ban/jail.local

I've also added postfix, that seems to work:

I've made test failed dovecot and postfix from phone/cell connection, I think? postfix one worked, but, nothing registered on dovecot do you know where f2b places bad IPs ? I saw them listed on 'status;, but, couldn't find them in /etc/hosts.deny, not sure if they meant to be there. [and, the device, after failing smtp, could still access http, so not sure if my testing is valid]

# fail2ban-client status Status |- Number of jail: 2 `- Jail list: dovecot-pop3imap, postfx-sasl

(1) # cat jail.local [dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp] logpath = /var/log/dovecot.log maxretry = 5 findtime = 300 bantime = 3600 ignoreip = 127.0.0.1 127.0.0.0/8

[postfx-sasl] enabled = true filter = postfix-sasl action = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp] # sendmail[name=Postfix, dest=you@mail.com] logpath = /var/log/maillog bantime = 3600 maxretry = 5 ignoreip = 127.0.0.1 127.0.0.0/8

Alex JOST

18 Dec 18 Dec

10:23 a.m.

Am 17.12.2017 um 20:08 schrieb voytek@sbt.net.au:

...

I've made test failed dovecot and postfix from phone/cell connection, I think? postfix one worked, but, nothing registered on dovecot do you know where f2b places bad IPs ? I saw them listed on 'status;, but, couldn't find them in /etc/hosts.deny, not sure if they meant to be there. [and, the device, after failing smtp, could still access http, so not sure if my testing is valid]

We are using fail2ban with firewalld. In that case fail2ban creates 1 rule in the input_direct chain of iptables for each jail. You can use 'ipset list' to list all entries with their timeout.

-- Alex JOST

Bill Shirley

12:40 a.m.

Copy dovecot-pop3imap.conf to dovecot-pop3imap.local. Edit dovecot-pop3imap.local and add to the failregex: dovecot:.+auth failed.+rip=<HOST>

Then run: fail2ban-regex /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot-pop3imap.local and see if you get any matches.

Bill

On 12/16/2017 6:56 PM, voytek@sbt.net.au wrote:

...

I'm trying to setup and test fail2ban with dovecot

I've installed fail2ban, I've copied config from https://wiki2.dovecot.org/HowTo/Fail2Ban, and, trying to test it,

attempted multiple mail access with wrong password, but, get this:

# fail2ban-client status dovecot-pop3imap Status for the jail: dovecot-pop3imap |- Filter | |- Currently failed: 0 | |- Total failed: 0 | - File list: /var/log/dovecot.log - Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:

# grep 'auth fail' /var/log/dovecot.log | grep voytek@k | wc 19 367 3749

and

Dec 17 09:55:03 imap-login: Info: Disconnected (auth failed, 2 attempts in 5 secs): user=, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session= Dec 17 09:55:12 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session= Dec 17 09:55:20 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session= Dec 17 09:55:27 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session=

# cat dovecot-pop3imap.conf [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex =

# systemctl status fail2ban ● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2017-12-16 22:35:14 AEDT; 12h ago Docs: man:fail2ban(1) Process: 2034 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS) Process: 6024 ExecReload=/usr/bin/fail2ban-client reload (code=exited, status=0/SUCCESS) Process: 2036 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS) Main PID: 2039 (fail2ban-server) CGroup: /system.slice/fail2ban.service └─2039 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/ru...

Dec 16 22:35:14 systemd[1]: Starting Fail2Ban Service... Dec 16 22:35:14 fail2ban-client[2036]: 2017-12-16 22:35:14,657 fail2ban.server [2...9.7 Dec 16 22:35:14 fail2ban-client[2036]: 2017-12-16 22:35:14,657 fail2ban.server [2...ode Dec 16 22:35:14 systemd[1]: Started Fail2Ban Service. Dec 17 09:21:51 systemd[1]: Reloaded Fail2Ban Service. Dec 17 09:22:52 systemd[1]: Reloaded Fail2Ban Service. Dec 17 09:31:40 systemd[1]: Reloaded Fail2Ban Service. Hint: Some lines were ellipsized, use -l to show in full.

voytek＠sbt.net.au

10:04 p.m.

On Mon, December 18, 2017 9:40 am, Bill Shirley wrote:

...

Copy dovecot-pop3imap.conf to dovecot-pop3imap.local. Edit dovecot-pop3imap.local and add to the failregex: dovecot:.+auth failed.+rip=<HOST>

Then run: fail2ban-regex /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot-pop3imap.local and see if you get any matches.

Bill, thanks for trying to help, sorry for dumb question

shouldn't '.local' be in /etc/fail2ban/ rather than /etc/fail2ban/filter.d/ ?

I've copied it to /etc/fail2ban/, as that's where my other .local is ??

and, not sure where to add, tried 3 different places, including at the end, but, getting:

in /etc/fail2ban/ (before addition) # cat dovecot-pop3imap.local [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex =

# cat dovecot-pop3imap.local [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*,dovecot:.+auth failed.+rip=<HOST> ignoreregex =

# fail2ban-regex /var/log/dovecot.log /etc/fail2ban/dovecot-pop3imap.local

Running tests

Use failregex file : /etc/fail2ban/dovecot-pop3imap.local Traceback (most recent call last): File "/bin/fail2ban-regex", line 34, in <module> exec_command_line() File "/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 598, in exec_command_line if not fail2banRegex.start(opts, args): File "/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 501, in start if not self.readRegex(cmd_regex, 'fail'): File "/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 322, in readRegex 'add%sRegex' % regextype.title())(regex.getFailRegex()) File "/usr/lib/python2.7/site-packages/fail2ban/server/filter.py", line 113, in addFailRegex raise e fail2ban.server.failregex.RegexException: Unable to compile regular expression '(?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*,dovecot:.+auth failed.+rip=(?:::f{4,6}:)?(?P<host>[\w\-.^_]*\w)'

Gao

3:50 a.m.

Have you tried just using the the filter dovecot.conf come with the fail2ban?

# cat /etc/fail2ban/filter.d/dovecot.conf

...... failregex = ^%(__prefix_line)s(?:%(__pam_auth)s(?:$dovecot:auth$)?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$ ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ $]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)$:( us$ ^%(__prefix_line)s(?:Info|dovecot: auth$default$|auth-worker$\d+$): pam$\S+,<HOST>$: pam_authenticate failed: (User not known to the underlying authentication module: \d+ Time$s$|Authen$ ^%(__prefix_line)s(?:auth|auth-worker$\d+$): (?:pam|passwd-file)$\S+,<HOST>$: unknown user\s*$ ^%(__prefix_line)s(?:auth|auth-worker$\d+$): Info: ldap$\S*,<HOST>,\S*$: invalid credentials\s*$ ......

Gao

On 2017-12-16 15:56, voytek@sbt.net.au wrote:

...

I'm trying to setup and test fail2ban with dovecot

I've installed fail2ban, I've copied config from https://wiki2.dovecot.org/HowTo/Fail2Ban, and, trying to test it,

attempted multiple mail access with wrong password, but, get this:

# fail2ban-client status dovecot-pop3imap Status for the jail: dovecot-pop3imap |- Filter | |- Currently failed: 0 | |- Total failed: 0 | - File list: /var/log/dovecot.log - Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:

# grep 'auth fail' /var/log/dovecot.log | grep voytek@k | wc 19 367 3749

and

Dec 17 09:55:03 imap-login: Info: Disconnected (auth failed, 2 attempts in 5 secs): user=, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session= Dec 17 09:55:12 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session= Dec 17 09:55:20 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session= Dec 17 09:55:27 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=, method=PLAIN, rip=110.175.246.167, lip=163.47.110.7, TLS, session=

# cat dovecot-pop3imap.conf [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex =

# systemctl status fail2ban ● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2017-12-16 22:35:14 AEDT; 12h ago Docs: man:fail2ban(1) Process: 2034 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS) Process: 6024 ExecReload=/usr/bin/fail2ban-client reload (code=exited, status=0/SUCCESS) Process: 2036 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS) Main PID: 2039 (fail2ban-server) CGroup: /system.slice/fail2ban.service └─2039 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/ru...

Dec 16 22:35:14 systemd[1]: Starting Fail2Ban Service... Dec 16 22:35:14 fail2ban-client[2036]: 2017-12-16 22:35:14,657 fail2ban.server [2...9.7 Dec 16 22:35:14 fail2ban-client[2036]: 2017-12-16 22:35:14,657 fail2ban.server [2...ode Dec 16 22:35:14 systemd[1]: Started Fail2Ban Service. Dec 17 09:21:51 systemd[1]: Reloaded Fail2Ban Service. Dec 17 09:22:52 systemd[1]: Reloaded Fail2Ban Service. Dec 17 09:31:40 systemd[1]: Reloaded Fail2Ban Service. Hint: Some lines were ellipsized, use -l to show in full.

voytek＠sbt.net.au

10:20 p.m.

On Mon, December 18, 2017 12:50 pm, Gao wrote:

...

Have you tried just using the the filter dovecot.conf come with the fail2ban?

# cat /etc/fail2ban/filter.d/dovecot.conf

Gao, thanks

so do I just put enable in /etc/fail2ban/jail.local ?

# cat jail.local [dovecot] enabled = true filter = dovecot

(sorry, I'm structure what I had on old server, it seems to work with smtp auth, so I thought that's correct way to do)

# fail2ban-client status Status |- Number of jail: 2 `- Jail list: dovecot, postfx-sasl

voytek＠sbt.net.au

20 Dec 20 Dec

11:20 p.m.

thanks for all the help, I went back to the old server's config, and, it worked as is, so that will do for now:

Chain f2b-dovecot (1 references) target prot opt source destination REJECT all -- 1.144.106.60 anywhere reject-with icmp-port-unreachable RETURN all -- anywhere anywhere

2480

Age (days ago)

2484

Last active (days ago)

List overview

8 comments

4 participants

participants (4)

Alex JOST
Bill Shirley
Gao
voytek＠sbt.net.au

ot: fail2ban dovecot setup

Running tests

Gao

tags

participants (4)