ot: fail2ban dovecot setup

Gao gao at pztop.com
Mon Dec 18 03:50:11 EET 2017


Have you tried just using the the filter dovecot.conf come with the 
fail2ban?

# cat /etc/fail2ban/filter.d/dovecot.conf

......
failregex = 
^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication 
failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* 
rhost=<HOST>(?:\s+user=\S*)?\s*$
             ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted 
login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( 
in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( us$
             ^%(__prefix_line)s(?:Info|dovecot: 
auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): 
pam_authenticate\(\) failed: (User not known to the underlying 
authentication module: \d+ Time\(s\)|Authen$
             ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): 
(?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
             ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: 
ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
......

Gao

On 2017-12-16 15:56, voytek at sbt.net.au wrote:
> I'm trying to setup and test fail2ban with dovecot
> 
> I've installed fail2ban, I've copied config from
> https://wiki2.dovecot.org/HowTo/Fail2Ban, and, trying to test it,
> 
> attempted multiple mail access with wrong password, but, get this:
> 
> # fail2ban-client status dovecot-pop3imap
> Status for the jail: dovecot-pop3imap
> |- Filter
> |  |- Currently failed: 0
> |  |- Total failed:     0
> |  `- File list:        /var/log/dovecot.log
> `- Actions
>    |- Currently banned: 0
>    |- Total banned:     0
>    `- Banned IP list:
> 
> # grep 'auth fail' /var/log/dovecot.log | grep voytek at k | wc
>      19     367    3749
> 
> and
> 
> Dec 17 09:55:03 imap-login: Info: Disconnected (auth failed, 2 attempts 
> in
> 5 secs): user=<voytek at k..au>, method=PLAIN, rip=110.175.246.167,
> lip=163.47.110.7, TLS, session=<bQ6mAX1gHcRur/an>
> Dec 17 09:55:12 imap-login: Info: Disconnected (auth failed, 2 attempts 
> in
> 4 secs): user=<voytek at k..au>, method=PLAIN, rip=110.175.246.167,
> lip=163.47.110.7, TLS, session=<Osk5An1gAKVur/an>
> Dec 17 09:55:20 imap-login: Info: Disconnected (auth failed, 2 attempts 
> in
> 4 secs): user=<voytek at k..au>, method=PLAIN, rip=110.175.246.167,
> lip=163.47.110.7, TLS, session=<xsq/An1gDN1ur/an>
> Dec 17 09:55:27 imap-login: Info: Disconnected (auth failed, 2 attempts 
> in
> 4 secs): user=<voytek at k..au>, method=PLAIN, rip=110.175.246.167,
> lip=163.47.110.7, TLS, session=<RVUkA31gm4xur/an>
> 
> 
> # cat dovecot-pop3imap.conf
> [Definition]
> failregex = (?: pop3-login|imap-login): (?:Authentication 
> failure|Aborted
> login \(auth failed|Aborted login \(tried to use disabled|Disconnected
> \(auth failed).*rip=(?P<host>\S*),.*
> ignoreregex =
> 
> 
> # systemctl status  fail2ban
> ● fail2ban.service - Fail2Ban Service
>    Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled;
> vendor preset: disabled)
>    Active: active (running) since Sat 2017-12-16 22:35:14 AEDT; 12h ago
>      Docs: man:fail2ban(1)
>   Process: 2034 ExecStop=/usr/bin/fail2ban-client stop (code=exited,
> status=0/SUCCESS)
>   Process: 6024 ExecReload=/usr/bin/fail2ban-client reload 
> (code=exited,
> status=0/SUCCESS)
>   Process: 2036 ExecStart=/usr/bin/fail2ban-client -x start 
> (code=exited,
> status=0/SUCCESS)
>  Main PID: 2039 (fail2ban-server)
>    CGroup: /system.slice/fail2ban.service
>            └─2039 /usr/bin/python2 -s /usr/bin/fail2ban-server -s
> /var/run/fail2ban/fail2ban.sock -p /var/ru...
> 
> Dec 16 22:35:14  systemd[1]: Starting Fail2Ban Service...
> Dec 16 22:35:14  fail2ban-client[2036]: 2017-12-16 22:35:14,657
> fail2ban.server         [2...9.7
> Dec 16 22:35:14  fail2ban-client[2036]: 2017-12-16 22:35:14,657
> fail2ban.server         [2...ode
> Dec 16 22:35:14  systemd[1]: Started Fail2Ban Service.
> Dec 17 09:21:51  systemd[1]: Reloaded Fail2Ban Service.
> Dec 17 09:22:52  systemd[1]: Reloaded Fail2Ban Service.
> Dec 17 09:31:40  systemd[1]: Reloaded Fail2Ban Service.
> Hint: Some lines were ellipsized, use -l to show in full.


More information about the dovecot mailing list