Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ

[Felix]

It seems that your fail2ban-regex program is facing issues. I can't be sure if your fail2ban installation (or fail2ban-regex executable) is damaged or there is something else going on.

Here is a sample output:

Code: Select all

Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/dovecot.conf
Use         log file : /var/log/dovecot.log


Results
=======

Failregex: 2 total
|-  #) [# of hits] regular expression
|   2) [2] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [5260] MONTH Day Hour:Minute:Second
`-

Lines: 5260 lines, 0 ignored, 2 matched, 5258 missed
Missed line(s):: too many to print.  Use --print-all-missed to print all 5258 lines

Notice the second to last line, where it says 2 matched. This means that the filter found 2 matches.

[HenrysCat]

Oh that does not sound good, does it make a difference that SSH banning is working perfectly? or is that nothing to do with regex?

[HenrysCat]

I have also noticed in fail2ban.log

Code: Select all

2019-02-18 22:44:12,091 fail2ban.filter         [3066]: INFO    [exim-iptables] Found 94.102.56.215

That is an attacking ip but it's never banned.

Running 'fail2ban-client -d | grep mail' gives

Code: Select all

['set', 'exim-iptables', 'addfailregex', '^(?: \\[\\d+\\])? SMTP call from \\S+ (?:H=([\\w.-]+ )?(?:\\(\\S+\\) )?)?\\[<HOST>\\](?::\\d+)?(?: I=\\[\\S+\\](:\\d+)?)?(?: U=\\S+)?(?: P=e?smtp)?(?: F=(?:<>|[^@]+@\\S+))?\\sdropped: too many nonmail commands \\(last was "\\S+"\\)\\s*$']

[HenrysCat]

Making progress now, I re-added the extra lines from your second post (I put them in the wrong place I think) to dovecot.conf & exim.conf files and some entries are getting banned but not all.
An example from log below gets banned

Code: Select all

2019-02-17 03:52:09 no host name found for IP address 94.102.56.215
2019-02-17 03:52:12 dovecot_login authenticator failed for (User) [94.102.56.215]: 535 Incorrect authentication data ([email protected])

and this entry does not get banned

Code: Select all

2019-02-20 09:57:51 no host name found for IP address 185.234.218.38
2019-02-20 09:57:53 dovecot_login authenticator failed for (76.67.34.12) [185.234.218.38]: 535 Incorrect authentication data (set_id=grace)

Any ideas?

[pablolp]

Thank you Felx, I have run fail2ban-regex result below

Code: Select all

[root@server1 ~]# fail2ban-regex /var/log/dovecot.log etc/fail2ban/filter.d/dovecot.conf

Running tests
=============

Use   failregex line : etc/fail2ban/filter.d/dovecot.conf
Traceback (most recent call last):
  File "/usr/bin/fail2ban-regex", line 34, in <module>
    exec_command_line()
  File "/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 598, in exec_command_line
    if not fail2banRegex.start(opts, args):
  File "/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 501, in start
    if not self.readRegex(cmd_regex, 'fail'):
  File "/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 322, in readRegex
    'add%sRegex' % regextype.title())(regex.getFailRegex())
  File "/usr/lib/python2.7/site-packages/fail2ban/server/filter.py", line 113, in addFailRegex
    raise e
fail2ban.server.failregex.RegexException: No 'host' group in 'etc/fail2ban/filter.d/dovecot.conf'
[root@server1 ~]# 

Now I'm lost, is that good or bad? I see 'fail' in there.

Also in var/log/exim/main.log I see lots of entries as below.

Code: Select all

no host name found for IP address xx.xxx.xx.xxx

(xx.xxx.xx.xxx = attacking ip address)

Could that make a difference?

This is a syntax error if your actual dir is not / (root)

This may work:

Code: Select all

fail2ban-regex /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot.conf