Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ Topic is solved

General questions about VestaCP
Felix
Posts: 103
Joined: Tue Aug 04, 2015 7:15 pm

Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ

Postby Felix » Sun Aug 09, 2015 12:41 pm

Fail2ban is installed (Ubuntu 14.04), active but it seems it does not ban clients trying to connect via IMAP. I did a test myself, trying to connect with IMAP but with wrong password, more than 10 times.

Code: Select all

iptables -S
shows no ban and of course I'm not prevented from trying again.


The contents of /etc/fail2ban/jail.local are the defaults

Code: Select all

[ssh-iptables]
enabled  = true
filter   = sshd
action   = vesta[name=SSH]
logpath  = /var/log/auth.log
maxretry = 5

[vsftpd-iptables]
enabled  = false
filter   = vsftpd
action   = vesta[name=FTP]
logpath  = /var/log/vsftpd.log
maxretry = 5

[exim-iptables]
enabled = true
filter  = exim
action  = vesta[name=MAIL]
logpath = /var/log/exim4/mainlog

[dovecot-iptables]
enabled = true
filter  = dovecot
action  = vesta[name=MAIL]
logpath = /var/log/dovecot.log

[mysqld-iptables]
enabled  = false
filter   = mysqld-auth
action   = vesta[name=DB]
logpath  = /var/log/mysql.log
maxretry = 5

[vesta-iptables]
enabled = true
filter  = vesta
action  = vesta[name=VESTA]
logpath = /var/log/vesta/auth.log
maxretry = 5


Any ideas what is wrong?

------------------------------
I also found out that authorization failures in exim wouldn't result in a ban.
Last edited by Felix on Sun Aug 09, 2015 10:05 pm, edited 2 times in total.

Felix
Posts: 103
Joined: Tue Aug 04, 2015 7:15 pm

Re: Fail2ban & Dovecot - No ban  Topic is solved

Postby Felix » Sun Aug 09, 2015 8:05 pm

It seems the dovecot filter regex has errors.

In the filter file:

Code: Select all

/etc/fail2ban/filter.d/dovecot.conf
I added the correct regex I found at dovecot wiki. Now the filter file is exactly like this:

Code: Select all

# Fail2Ban filter Dovecot authentication and pop3/imap server
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (auth|dovecot(-auth)?|auth-worker)

failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
            ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
            (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*

ignoreregex =

# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly
#
# Author: Martin Waschbuesch
#         Daniel Black (rewrote with begin and end anchors)

... and IT WORKS for both IMAP and POP3!!

Done with the help of regex101 :-)

Log file entry that MATCHES the regex:

Code: Select all

Aug 09 22:13:17 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<xx@x.com>, method=LOGIN, rip=8.8.8.8, lip=8.8.4.4, TLS: Disconnected, session=<w/3vqOUcaADU+2w5>


------------------------------------------------------------------------------
The fail2ban exim filter was also not working

Code: Select all

/etc/fail2ban/filter.d/exim.conf


After adding the following regex to the above file, fail2ban started working:

Code: Select all

\[<HOST>\]: 535 Incorrect authentication data


Here are the final contents of the file:

Code: Select all

# Fail2Ban filter for exim
#
# This includes the rejection messages of exim. For spam and filter
# related bans use the exim-spam.conf
#


[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# exim-common.local
before = exim-common.conf

[Definition]

failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
             ^%(pid)s (plain|login) authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
             ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
             ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
             ^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
             \[<HOST>\]: 535 Incorrect authentication data

ignoreregex =

# DEV Notes:
# The %(host_info) defination contains a <HOST> match
#
# SMTP protocol synchronization error \([^)]*\)  <- This needs to be non-greedy
# to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is
# user injectable data.
#
# Author: Cyril Jaquier
#         Daniel Black (rewrote with strong regexs)

pandabb
Posts: 192
Joined: Sat Aug 08, 2015 3:03 am

Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ

Postby pandabb » Thu Feb 18, 2016 10:24 am

Thanks this solve my problem too..

KhaoMaNee
Posts: 12
Joined: Thu Feb 26, 2015 5:58 am

Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ

Postby KhaoMaNee » Fri Sep 30, 2016 3:25 am

Was just wondering why fail2ban was only banning SSH brute force when the otherr services have issues too. Followed your info and fixed it, thanks a lot!

maniekandan55
Posts: 23
Joined: Sun Jan 31, 2016 4:14 am

Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ

Postby maniekandan55 » Mon Feb 27, 2017 11:33 am

Me too, just realized this issue,
Im seeing lot of Dovecot failed logins / exim panic log / all shows lot of unknown email attempts.
Realized that, the VESTACP's jail.local config dont have the 'maxretry = 5' for '[exim-iptables]' & [dovecot-iptables].

I dont know what is the actual reason VESTA team has for this missed out row.
But, once i added those into my jail.local config, all fine now.

Reff: https://github.com/serghey-rodin/vesta/blob/master/install/ubuntu/16.04/fail2ban/jail.local

MiguelVESTACP
Posts: 14
Joined: Tue Sep 05, 2017 12:39 pm

Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ

Postby MiguelVESTACP » Mon Oct 09, 2017 1:26 pm

Why they dont fix this bugs in a new version?


Return to “General Discussion”



Who is online

Users browsing this forum: No registered users and 8 guests

cron