On Apr 9, 2019, at 9:03 AM, Mauricio Tavares via dovecot dovecot@dovecot.org wrote:

In https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.dovecot.org_HowTo_Fail2Ban&d=DwIBaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=pvPczF9hPXSNtmAKNFK4BCXvgxuaUKHd2Ur3lh4S7qQ&s=_kg3Hgc3N8Dk4K_fGw94IDAeC1tvlMTQ9w3Ocfzm3Ts&e=, for a current (I know for a fact in 2.2.36) I believe it should be

filter = dovecot

instead of

filter = dovecot-pop3imap

[root@mail ~]# ls -l /etc/fail2ban/filter.d/doveco*

-rw-r--r-- 1 root root 1875 May 11 2017 /etc/fail2ban/filter.d/dovecot.conf

I believe that’s a different jail:

diff /etc/fail2ban/filter.d/dovecot-pop3imap.conf /etc/fail2ban/filter.d/dovecot.conf 0a1,7

# Fail2Ban filter Dovecot authentication and pop3/imap server #

[INCLUDES]

before = common.conf

2,3c9,47 < failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=<HOST> < ignoreregex =

_auth_worker = (?:dovecot: )?auth(?:-worker)? _daemon = (?:dovecot(?:-auth)?|auth)

prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap)-login: )?(?:Info: )?<F-CONTENT>.+</F-CONTENT>$

failregex = ^authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s+user=\S*)?\s*$ ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$ ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\)|Permission denied)\s*$ ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid credentials|Password mismatch)\s*$

mdre-aggressive = ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$

mdre-normal =

# Parameter mode - normal or aggressive. # Aggressive mode can be used to match log-entries like: # 'no auth attempts', 'disconnected before auth was ready', 'client didn't finish SASL auth'. # Note it may produce lots of false positives on misconfigured MTAs. # Ex.: # filter = dovecot[mode=aggressive] mode = normal

ignoreregex =

journalmatch = _SYSTEMD_UNIT=dovecot.service

datepattern = {^LN-BEG}TAI64N {^LN-BEG}

# DEV Notes: # * the first regex is essentially a copy of pam-generic.conf # * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016) # # Author: Martin Waschbuesch # Daniel Black (rewrote with begin and end anchors) # Martin O'Neal (added LDAP authentication failure regex) # Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility)