ot: fail2ban dovecot setup
Gao
gao at pztop.com
Mon Dec 18 03:50:11 EET 2017
Have you tried just using the the filter dovecot.conf come with the
fail2ban?
# cat /etc/fail2ban/filter.d/dovecot.conf
......
failregex =
^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S*
rhost=<HOST>(?:\s+user=\S*)?\s*$
^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted
login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(
in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( us$
^%(__prefix_line)s(?:Info|dovecot:
auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\):
pam_authenticate\(\) failed: (User not known to the underlying
authentication module: \d+ Time\(s\)|Authen$
^%(__prefix_line)s(?:auth|auth-worker\(\d+\)):
(?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info:
ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
......
Gao
On 2017-12-16 15:56, voytek at sbt.net.au wrote:
> I'm trying to setup and test fail2ban with dovecot
>
> I've installed fail2ban, I've copied config from
> https://wiki2.dovecot.org/HowTo/Fail2Ban, and, trying to test it,
>
> attempted multiple mail access with wrong password, but, get this:
>
> # fail2ban-client status dovecot-pop3imap
> Status for the jail: dovecot-pop3imap
> |- Filter
> | |- Currently failed: 0
> | |- Total failed: 0
> | `- File list: /var/log/dovecot.log
> `- Actions
> |- Currently banned: 0
> |- Total banned: 0
> `- Banned IP list:
>
> # grep 'auth fail' /var/log/dovecot.log | grep voytek at k | wc
> 19 367 3749
>
> and
>
> Dec 17 09:55:03 imap-login: Info: Disconnected (auth failed, 2 attempts
> in
> 5 secs): user=<voytek at k..au>, method=PLAIN, rip=110.175.246.167,
> lip=163.47.110.7, TLS, session=<bQ6mAX1gHcRur/an>
> Dec 17 09:55:12 imap-login: Info: Disconnected (auth failed, 2 attempts
> in
> 4 secs): user=<voytek at k..au>, method=PLAIN, rip=110.175.246.167,
> lip=163.47.110.7, TLS, session=<Osk5An1gAKVur/an>
> Dec 17 09:55:20 imap-login: Info: Disconnected (auth failed, 2 attempts
> in
> 4 secs): user=<voytek at k..au>, method=PLAIN, rip=110.175.246.167,
> lip=163.47.110.7, TLS, session=<xsq/An1gDN1ur/an>
> Dec 17 09:55:27 imap-login: Info: Disconnected (auth failed, 2 attempts
> in
> 4 secs): user=<voytek at k..au>, method=PLAIN, rip=110.175.246.167,
> lip=163.47.110.7, TLS, session=<RVUkA31gm4xur/an>
>
>
> # cat dovecot-pop3imap.conf
> [Definition]
> failregex = (?: pop3-login|imap-login): (?:Authentication
> failure|Aborted
> login \(auth failed|Aborted login \(tried to use disabled|Disconnected
> \(auth failed).*rip=(?P<host>\S*),.*
> ignoreregex =
>
>
> # systemctl status fail2ban
> ● fail2ban.service - Fail2Ban Service
> Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled;
> vendor preset: disabled)
> Active: active (running) since Sat 2017-12-16 22:35:14 AEDT; 12h ago
> Docs: man:fail2ban(1)
> Process: 2034 ExecStop=/usr/bin/fail2ban-client stop (code=exited,
> status=0/SUCCESS)
> Process: 6024 ExecReload=/usr/bin/fail2ban-client reload
> (code=exited,
> status=0/SUCCESS)
> Process: 2036 ExecStart=/usr/bin/fail2ban-client -x start
> (code=exited,
> status=0/SUCCESS)
> Main PID: 2039 (fail2ban-server)
> CGroup: /system.slice/fail2ban.service
> └─2039 /usr/bin/python2 -s /usr/bin/fail2ban-server -s
> /var/run/fail2ban/fail2ban.sock -p /var/ru...
>
> Dec 16 22:35:14 systemd[1]: Starting Fail2Ban Service...
> Dec 16 22:35:14 fail2ban-client[2036]: 2017-12-16 22:35:14,657
> fail2ban.server [2...9.7
> Dec 16 22:35:14 fail2ban-client[2036]: 2017-12-16 22:35:14,657
> fail2ban.server [2...ode
> Dec 16 22:35:14 systemd[1]: Started Fail2Ban Service.
> Dec 17 09:21:51 systemd[1]: Reloaded Fail2Ban Service.
> Dec 17 09:22:52 systemd[1]: Reloaded Fail2Ban Service.
> Dec 17 09:31:40 systemd[1]: Reloaded Fail2Ban Service.
> Hint: Some lines were ellipsized, use -l to show in full.
More information about the dovecot
mailing list