[Dovecot] Fail2ban and logging
Hello,
Dovecot is logging authentication failures this way:
Jul 12 18:07:19 vps0 dovecot: imap-login: Disconnected (auth failed, 22 attempts in 172 secs): user=<info>, method=PLAIN, rip=82.95.148.152, lip=1.2.3.4, TLS, session=<QylMqlLhVwBSX5SY>
Fail2ban is trying to catch them with this regex:
failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
This way fail2ban is counting 22 attempts as 1 attempt...
I expect I need to change something on the logging, so that every attempt is seperate logged. But I don't know how.
Is here somebody who knows how to get fail2ban correct working?
No help on this on the wiki's: http://wiki1.dovecot.org/HowTo/Fail2Ban http://wiki1.dovecot.org/Logging http://www.fail2ban.org/wiki/index.php/Dovecot
With regards, Paul van der Vlis.
-- Paul van der Vlis Linux systeembeheer, Groningen http://www.vandervlis.nl/
On 07/14/2013 03:26 AM, Paul van der Vlis wrote:
Hello,
Dovecot is logging authentication failures this way:
Jul 12 18:07:19 vps0 dovecot: imap-login: Disconnected (auth failed, 22 attempts in 172 secs): user=<info>, method=PLAIN, rip=82.95.148.152, lip=1.2.3.4, TLS, session=<QylMqlLhVwBSX5SY>
Is there a reason why you are allowing PLAIN text login (disable_plaintext_auth = no)?
I do not allow plaintext login and I get messages like:
Jul 12 16:03:27 sbh16 dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=219.84.103.232, lip=72.52.113.38, session=<RBK6hFjhggDbVGfo>
I also have
service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } }
and for secure login failures I get messages like:
Jul 14 11:38:57 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<gpc>, method=APOP, rip=68.183.193.239, lip=72.52.113.16, TLS, session=<8/ZeDn3hNwBEt8Hv>
and in fail2ban I have
failregex = Aborted login \(.*\): .*rip=<HOST>, Disconnected \(tried to use disabled.*\): .*rip=<HOST>, warning:.*\[<HOST>\]: SASL [^ ]+ authentication failed:
I'm running Dovecot 2.2.4, but the above hasn't changed for a long time.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 14-07-13 20:52, Mark Sapiro wrote:
On 07/14/2013 03:26 AM, Paul van der Vlis wrote:
Hello,
Dovecot is logging authentication failures this way:
Jul 12 18:07:19 vps0 dovecot: imap-login: Disconnected (auth failed, 22 attempts in 172 secs): user=<info>, method=PLAIN, rip=82.95.148.152, lip=1.2.3.4, TLS, session=<QylMqlLhVwBSX5SY>
Is there a reason why you are allowing PLAIN text login (disable_plaintext_auth = no)?
I use starttls, so it's no plaintext over the internet.
I do not allow plaintext login and I get messages like:
Jul 12 16:03:27 sbh16 dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=219.84.103.232, lip=72.52.113.38, session=<RBK6hFjhggDbVGfo>
I also have
service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } }
and for secure login failures I get messages like:
Jul 14 11:38:57 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<gpc>, method=APOP, rip=68.183.193.239, lip=72.52.113.16, TLS, session=<8/ZeDn3hNwBEt8Hv>
and in fail2ban I have
failregex = Aborted login \(.*\): .*rip=<HOST>, Disconnected \(tried to use disabled.*\): .*rip=<HOST>, warning:.*\[<HOST>\]: SASL [^ ]+ authentication failed:
I'm running Dovecot 2.2.4, but the above hasn't changed for a long time.
Are you blocked when you login a few times with a wrong password?
I expect your log will say something like "auth failed, 22 attempts in 30 secs", and fail2ban will see that as 1 authentications error, so will not block you.
With regards, Paul van der Vlis.
-- Paul van der Vlis Linux systeembeheer, Groningen http://www.vandervlis.nl/
On 07/15/2013 09:09 AM, Paul van der Vlis wrote:
Are you blocked when you login a few times with a wrong password?
I expect your log will say something like "auth failed, 22 attempts in 30 secs", and fail2ban will see that as 1 authentications error, so will not block you.
I am blocked. The log says
Jul 15 19:36:06 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1
attempts in 2 secs): user=<mark>, method=APOP, rip=98.248.186.228,
lip=72.52.113.16, TLS, session=
Jul 15 19:36:16 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1
attempts in 6 secs): user=<mark>, method=APOP, rip=98.248.186.228,
lip=72.52.113.16, TLS, session=
Jul 15 19:36:29 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1
attempts in 10 secs): user=<mark>, method=APOP, rip=98.248.186.228,
lip=72.52.113.16, TLS, session=
Jul 15 19:36:49 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1
attempts in 17 secs): user=<mark>, method=APOP, rip=98.248.186.228,
lip=72.52.113.16, TLS, session=
Jul 15 19:37:09 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1
attempts in 17 secs): user=<mark>, method=APOP, rip=98.248.186.228,
lip=72.52.113.16, TLS, session=
The difference may be that I am connecting to pop3s, port 995 with SSL, not port 110 with STARTTLS.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Hello Mark (and others),
On 16-07-13 05:00, Mark Sapiro wrote:
On 07/15/2013 09:09 AM, Paul van der Vlis wrote:
Are you blocked when you login a few times with a wrong password?
I expect your log will say something like "auth failed, 22 attempts in 30 secs", and fail2ban will see that as 1 authentications error, so will not block you.
I am blocked. The log says
Jul 15 19:36:06 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<mark>, method=APOP, rip=98.248.186.228, lip=72.52.113.16, TLS, session=
Jul 15 19:36:16 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 6 secs): user=<mark>, method=APOP, rip=98.248.186.228, lip=72.52.113.16, TLS, session=
Jul 15 19:36:29 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 10 secs): user=<mark>, method=APOP, rip=98.248.186.228, lip=72.52.113.16, TLS, session=
Jul 15 19:36:49 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=<mark>, method=APOP, rip=98.248.186.228, lip=72.52.113.16, TLS, session=
Jul 15 19:37:09 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=<mark>, method=APOP, rip=98.248.186.228, lip=72.52.113.16, TLS, session=
The difference may be that I am connecting to pop3s, port 995 with SSL, not port 110 with STARTTLS.
What wonders me is that every attempt is logged. With me the attemps are counted together. I think it's not very important which port or protocol is used.
With regards, Paul van der Vlis.
-- Paul van der Vlis Linux systeembeheer, Groningen http://www.vandervlis.nl/
participants (2)
-
Mark Sapiro
-
Paul van der Vlis