Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ
Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ
Fail2ban is installed (Ubuntu 14.04), active but it seems it does not ban clients trying to connect via IMAP. I did a test myself, trying to connect with IMAP but with wrong password, more than 10 times.
shows no ban and of course I'm not prevented from trying again.
The contents of /etc/fail2ban/jail.local are the defaults
Any ideas what is wrong?
------------------------------
I also found out that authorization failures in exim wouldn't result in a ban.
Code: Select all
iptables -S
The contents of /etc/fail2ban/jail.local are the defaults
Code: Select all
[ssh-iptables]
enabled = true
filter = sshd
action = vesta[name=SSH]
logpath = /var/log/auth.log
maxretry = 5
[vsftpd-iptables]
enabled = false
filter = vsftpd
action = vesta[name=FTP]
logpath = /var/log/vsftpd.log
maxretry = 5
[exim-iptables]
enabled = true
filter = exim
action = vesta[name=MAIL]
logpath = /var/log/exim4/mainlog
[dovecot-iptables]
enabled = true
filter = dovecot
action = vesta[name=MAIL]
logpath = /var/log/dovecot.log
[mysqld-iptables]
enabled = false
filter = mysqld-auth
action = vesta[name=DB]
logpath = /var/log/mysql.log
maxretry = 5
[vesta-iptables]
enabled = true
filter = vesta
action = vesta[name=VESTA]
logpath = /var/log/vesta/auth.log
maxretry = 5
------------------------------
I also found out that authorization failures in exim wouldn't result in a ban.
Last edited by Felix on Sun Aug 09, 2015 10:05 pm, edited 2 times in total.
Re: Fail2ban & Dovecot - No ban
It seems the dovecot filter regex has errors.
In the filter file: I added the correct regex I found at dovecot wiki. Now the filter file is exactly like this:
... and IT WORKS for both IMAP and POP3!!
Done with the help of regex101 :-)
Log file entry that MATCHES the regex:
------------------------------------------------------------------------------
The fail2ban exim filter was also not working
After adding the following regex to the above file, fail2ban started working:
Here are the final contents of the file:
In the filter file:
Code: Select all
/etc/fail2ban/filter.d/dovecot.conf
Code: Select all
# Fail2Ban filter Dovecot authentication and pop3/imap server
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = (auth|dovecot(-auth)?|auth-worker)
failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
(?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly
#
# Author: Martin Waschbuesch
# Daniel Black (rewrote with begin and end anchors)
Done with the help of regex101 :-)
Log file entry that MATCHES the regex:
Code: Select all
Aug 09 22:13:17 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<[email protected]>, method=LOGIN, rip=8.8.8.8, lip=8.8.4.4, TLS: Disconnected, session=<w/3vqOUcaADU+2w5>
The fail2ban exim filter was also not working
Code: Select all
/etc/fail2ban/filter.d/exim.conf
Code: Select all
\[<HOST>\]: 535 Incorrect authentication data
Code: Select all
# Fail2Ban filter for exim
#
# This includes the rejection messages of exim. For spam and filter
# related bans use the exim-spam.conf
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# exim-common.local
before = exim-common.conf
[Definition]
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
^%(pid)s (plain|login) authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
\[<HOST>\]: 535 Incorrect authentication data
ignoreregex =
# DEV Notes:
# The %(host_info) defination contains a <HOST> match
#
# SMTP protocol synchronization error \([^)]*\) <- This needs to be non-greedy
# to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is
# user injectable data.
#
# Author: Cyril Jaquier
# Daniel Black (rewrote with strong regexs)
Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ
Thanks this solve my problem too..
Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ
Was just wondering why fail2ban was only banning SSH brute force when the otherr services have issues too. Followed your info and fixed it, thanks a lot!
Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ
Me too, just realized this issue,
Im seeing lot of Dovecot failed logins / exim panic log / all shows lot of unknown email attempts.
Realized that, the VESTACP's jail.local config dont have the 'maxretry = 5' for '[exim-iptables]' & [dovecot-iptables].
I dont know what is the actual reason VESTA team has for this missed out row.
But, once i added those into my jail.local config, all fine now.
Reff: https://github.com/serghey-rodin/vesta/ ... jail.local
Im seeing lot of Dovecot failed logins / exim panic log / all shows lot of unknown email attempts.
Realized that, the VESTACP's jail.local config dont have the 'maxretry = 5' for '[exim-iptables]' & [dovecot-iptables].
I dont know what is the actual reason VESTA team has for this missed out row.
But, once i added those into my jail.local config, all fine now.
Reff: https://github.com/serghey-rodin/vesta/ ... jail.local
-
- Posts: 21
- Joined: Tue Sep 05, 2017 12:39 pm
Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ
Why they dont fix this bugs in a new version?
-
- Posts: 37
- Joined: Tue Mar 06, 2018 8:38 am
- Os: Debian 8x
- Web: apache
Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ
Is this edit still needed?
thanks
thanks
Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ
I have added the above to my config files but still get the below in exim mail.log
My dovecot.conf looks like
and exim.conf
But failed log in attempts are never blocked, any ideas?
Code: Select all
2019-02-17 08:02:07 dovecot_login authenticator failed for (User) [94.152.56.115]: 535 Incorrect authentication data ([email protected])
Code: Select all
# Fail2Ban filter Dovecot authentication and pop3/imap server
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = (auth|dovecot(-auth)?|auth-worker)
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
^%(__prefix_line)s(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
ignoreregex =
[Init]
journalmatch = _SYSTEMD_UNIT=dovecot.service
# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016)
# * Removed the 'no auth attempts' log lines from the matches because produces
# lots of false positives on misconfigured MTAs making regexp unusable
#
# Author: Martin Waschbuesch
# Daniel Black (rewrote with begin and end anchors)
# Martin O'Neal (added LDAP authentication failure regex)
# Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility)
Code: Select all
# Fail2Ban filter for exim
#
# This includes the rejection messages of exim. For spam and filter
# related bans use the exim-spam.conf
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# exim-common.local
before = exim-common.conf
[Definition]
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
^%(pid)s \w+ authenticator failed for (?:[^\[\( ]* )?(?:\(\S*\) )?\[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
^%(pid)s %(host_info)srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$
^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$
^%(pid)s SMTP call from \S+ %(host_info)sdropped: too many nonmail commands \(last was "\S+"\)\s*$
^%(pid)s SMTP protocol error in "AUTH \S*(?: \S*)?" %(host_info)sAUTH command used when not advertised\s*$
^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S+s(?: C=\S*)?\s*$
^%(pid)s (?:[\w\-]+ )?SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$
\[<HOST>\]: 535 Incorrect authentication data
ignoreregex =
# DEV Notes:
# The %(host_info) defination contains a <HOST> match
#
# SMTP protocol synchronization error \([^)]*\) <- This needs to be non-greedy
# to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is
# user injectable data.
#
# Author: Cyril Jaquier
# Daniel Black (rewrote with strong regexs)
# Martin O'Neal (added additional regexs to detect authentication failures, protocol errors, and drops)
Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ
I see you're using CentOS. I haven't tested the config I proposed against that OS, so I can only give you generic advice, like:
- Make sure that the path and name of the log file are correctly set in fail2ban conf
- Make sure that fail2ban can read the log file (permissions)
- Use fail2ban-regex command to check
Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ
Thank you Felx, I have run fail2ban-regex result below
Now I'm lost, is that good or bad? I see 'fail' in there.
Also in var/log/exim/main.log I see lots of entries as below.
(xx.xxx.xx.xxx = attacking ip address)
Could that make a difference?
Code: Select all
[root@server1 ~]# fail2ban-regex /var/log/dovecot.log etc/fail2ban/filter.d/dovecot.conf
Running tests
=============
Use failregex line : etc/fail2ban/filter.d/dovecot.conf
Traceback (most recent call last):
File "/usr/bin/fail2ban-regex", line 34, in <module>
exec_command_line()
File "/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 598, in exec_command_line
if not fail2banRegex.start(opts, args):
File "/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 501, in start
if not self.readRegex(cmd_regex, 'fail'):
File "/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 322, in readRegex
'add%sRegex' % regextype.title())(regex.getFailRegex())
File "/usr/lib/python2.7/site-packages/fail2ban/server/filter.py", line 113, in addFailRegex
raise e
fail2ban.server.failregex.RegexException: No 'host' group in 'etc/fail2ban/filter.d/dovecot.conf'
[root@server1 ~]#
Also in var/log/exim/main.log I see lots of entries as below.
Code: Select all
no host name found for IP address xx.xxx.xx.xxx
Could that make a difference?