Re: fail2ban setup centos 7 not picking auth fail?
On Fri, May 22, 2020 2:05 pm, Adi Pircalabu wrote:
On 22-05-2020 10:38, Voytek Eymont wrote:
Hardly a Dovecot issue. Can you please post the output of this command? /usr/bin/fail2ban-regex /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot.conf
Adi,
thanks, what I get is:
# /usr/bin/fail2ban-regex /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot.conf
Running tests
Use failregex filter file : dovecot, basedir: /etc/fail2ban Use datepattern : Default Detectors Use log file : /var/log/dovecot.log Use encoding : UTF-8
Results
Failregex: 5149 total |- #) [# of hits] regular expression | 2) [5149] ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[ *\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?|[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$ `-
Ignoreregex: 0 total
Date template hits: |- [# of hits] date format | [338975] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)? `-
Lines: 338975 lines, 0 ignored, 5149 matched, 333826 missed [processed in 87.44 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 333826 lines
On 22-05-2020 15:45, Voytek Eymont wrote:
On Fri, May 22, 2020 2:05 pm, Adi Pircalabu wrote:
On 22-05-2020 10:38, Voytek Eymont wrote:
Hardly a Dovecot issue. Can you please post the output of this command? /usr/bin/fail2ban-regex /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot.conf
Adi,
thanks, what I get is:
[...]
Results
Failregex: 5149 total
[...]
Lines: 338975 lines, 0 ignored, 5149 matched, 333826 missed [processed in 87.44 sec]
Right, so it's not a regex problem then, you're getting some matches there, although you might want to revisit it it the result is not consistent with your own searches. It might be that Dovecot isn't logging to systemd' journal, or the regex doesn't match the journal entries. Try to comment out "journalmatch = _SYSTEMD_UNIT=dovecot.service" entry in your filter file, restart f2b and see if there's any change. P.S. Let's try and keep the replies to the list :)
-- Adi Pircalabu
I use SSHGuard on well ssh (doh!), but supposedly you can use it for postfix and dovecot also. I can tell you it is well supported. I am on Centos 7 using firewalld.
Original Message
From: adi@ddns.com.au Sent: May 21, 2020 11:01 PM To: voytek@sbt.net.au Cc: dovecot@dovecot.org Subject: Re: fail2ban setup centos 7 not picking auth fail?
On 22-05-2020 15:45, Voytek Eymont wrote:
On Fri, May 22, 2020 2:05 pm, Adi Pircalabu wrote:
On 22-05-2020 10:38, Voytek Eymont wrote:
Hardly a Dovecot issue. Can you please post the output of this command? /usr/bin/fail2ban-regex /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot.conf
Adi,
thanks, what I get is:
[...]
Results
Failregex: 5149 total
[...]
Lines: 338975 lines, 0 ignored, 5149 matched, 333826 missed [processed in 87.44 sec]
Right, so it's not a regex problem then, you're getting some matches there, although you might want to revisit it it the result is not consistent with your own searches. It might be that Dovecot isn't logging to systemd' journal, or the regex doesn't match the journal entries. Try to comment out "journalmatch = _SYSTEMD_UNIT=dovecot.service" entry in your filter file, restart f2b and see if there's any change. P.S. Let's try and keep the replies to the list :)
-- Adi Pircalabu
On Thu, 21 May 2020 23:22:04 -0700, lists stated:
I use SSHGuard on well ssh (doh!), but supposedly you can use it for postfix and dovecot also. I can tell you it is well supported. I am on Centos 7 using firewalld.
SSHGuard works fairly well with Postfix; however, it is virtually useless with Dovecot. It never picks up on "auth fail" and a few others. I have submitted documentation and requests to SSHGuard, but they have never acted upon them, other than to say that they will look into it.
-- Jerry
I leave well enough alone, but rev 2 got a new parser to allow more user control.
The documentation may be old. However the dovecot trigger does look for auth failed.
dovecot default imap-login: Aborted login (auth failed, 6 attempts): XYZ rip=6.6.6.0, lip=127.0.0.1
I run a personal email server and have the luxury of geographically limiting access to all mail ports other than 25. (I use 587). So I get few attempts at logins. Then again I can't access my email in 99% of the world in addition from hosting companies and cloud servers.
Original Message
From: jerry@seibercom.net Sent: May 22, 2020 3:38 AM To: dovecot@dovecot.org Reply-to: dovecot@dovecot.org Subject: Re: fail2ban setup centos 7 not picking auth fail?
On Thu, 21 May 2020 23:22:04 -0700, lists stated:
I use SSHGuard on well ssh (doh!), but supposedly you can use it for postfix and dovecot also. I can tell you it is well supported. I am on Centos 7 using firewalld.
SSHGuard works fairly well with Postfix; however, it is virtually useless with Dovecot. It never picks up on "auth fail" and a few others. I have submitted documentation and requests to SSHGuard, but they have never acted upon them, other than to say that they will look into it.
-- Jerry
On Fri, 22 May 2020, Jerry wrote:
On Thu, 21 May 2020 23:22:04 -0700, lists stated:
I use SSHGuard on well ssh (doh!), but supposedly you can use it for postfix and dovecot also. I can tell you it is well supported. I am on Centos 7 using firewalld.
SSHGuard works fairly well with Postfix; however, it is virtually useless with Dovecot. It never picks up on "auth fail" and a few others. I have submitted documentation and requests to SSHGuard, but they have never acted upon them, other than to say that they will look into it.
That's the beauty of open source -- if you got time and skillz, you can roll up your sleeves and do it yourself. I peeked at the source, and it requires some Lex/Yacc coding. Even if you don't have those codng skills, you can probably make a good guess by looking at the .l/.y files.
The authors can make it a lot easier to extend if they externalize the patterns into runtime configuration like fail2ban does, rather than baking them into executables.
Joseph Tam jtam.home@gmail.com
Just to add another alternative while we're discussing the subject, I've got a soft spot for CSF as a replacement for fail2ban, and it has a lot of additional features as well.
https://www.configserver.com/cp/csf.htmlP.
On 22/05/2020 18.32, Jerry wrote:
On Thu, 21 May 2020 23:22:04 -0700, lists stated:
I use SSHGuard on well ssh (doh!), but supposedly you can use it for postfix and dovecot also. I can tell you it is well supported. I am on Centos 7 using firewalld.
SSHGuard works fairly well with Postfix; however, it is virtually useless with Dovecot. It never picks up on "auth fail" and a few others. I have submitted documentation and requests to SSHGuard, but they have never acted upon them, other than to say that they will look into it.
On Sat, May 23, 2020 at 11:55:33AM +0800, Plutocrat wrote:
On 22/05/2020 18.32, Jerry wrote:
On Thu, 21 May 2020 23:22:04 -0700, lists stated:
I use SSHGuard on well ssh (doh!), but supposedly you can use it for postfix and dovecot also. I can tell you it is well supported. [..]
SSHGuard works fairly well with Postfix; however, it is virtually useless with Dovecot. [..] I have submitted documentation and requests to SSHGuard, but they have never acted upon them [..]
Just to add another alternative while we're discussing the subject, I've got a soft spot for CSF as a replacement for fail2ban, and it has a lot of additional features as well.
In case it matters to anyone reading this thread:
fail2ban and SSHGuard are free software (free as in freedom). GPL2+ and ISC respectively.
CSF seems to be non-free: https://download.configserver.com/csf/license.txt
-- A: When it messes up the order in which people normally read text. Q: When is top-posting a bad thing?
() ASCII ribbon campaign. Please avoid HTML emails & proprietary /\ file formats. (Why? See e.g. https://v.gd/jrmGbS ). Thank you.
On Fri, May 22, 2020 4:01 pm, Adi Pircalabu wrote:
Results
Failregex: 5149 total
[...]
Lines: 338975 lines, 0 ignored, 5149 matched, 333826 missed [processed in 87.44 sec]
Right, so it's not a regex problem then, you're getting some matches there, although you might want to revisit it it the result is not consistent with your own searches. It might be that Dovecot isn't logging to systemd' journal, or the regex doesn't match the journal entries. Try to comment out "journalmatch = _SYSTEMD_UNIT=dovecot.service" entry in your filter file, restart f2b and see if there's any change. P.S. Let's try and keep the replies to the list :)
Adi,
this is what I got, lot faster as well
Running tests
Use failregex filter file : dovecot, basedir: /etc/fail2ban Use datepattern : Default Detectors Use log file : /var/log/dovecot.log Use encoding : UTF-8
Results
Failregex: 5177 total |- #) [# of hits] regular expression | 2) [5177] ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[ *\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?|[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$ `-
Ignoreregex: 0 total
Date template hits: |- [# of hits] date format | [343387] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)? `-
Lines: 343387 lines, 0 ignored, 5177 matched, 338210 missed [processed in 85.97 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 338210 lines
participants (7)
-
Adi Pircalabu
-
Jerry
-
Joseph Tam
-
lists
-
Plutocrat
-
Sam Kuper
-
Voytek Eymont