Fail2Ban not working for Dovecot?

StopSpazzing · Post by **StopSpazzing** » Fri Apr 20, 2018 12:36 am

After fully researching this, I can only come to the conclusion that either fail2ban isnt working right or I'm blind.

The issue:

Code: Select all

Apr 17 12:57:19 auth: Info: passwd-file({{attempteduser}}@{{mydomain}},{{attackersip}}): unknown user

This appears in "spam" in dovecot log. I have confirmed that fail2ban is ON, WORKING, and banning other matches such as vestacp login failures. Using default filter from vestacp Fail2Ban install:

Code: Select all

# Fail2Ban filter Dovecot authentication and pop3/imap server
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (auth|dovecot(-auth)?|auth-worker)

failregex = ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
            ^%(__prefix_line)s(Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
            ^%(__prefix_line)s(auth|auth-worker\(\d+\)): (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$

ignoreregex =

[Init]

journalmatch = _SYSTEMD_UNIT=dovecot.service

# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly
# * Removed the 'no auth attempts' log lines from the matches because produces
#    lots of false positives on misconfigured MTAs making regexp unusable
#
# Author: Martin Waschbuesch
#         Daniel Black (rewrote with begin and end anchors)

I DO have dovecot filter enabled:

Code: Select all

[DEFAULT]
ignoreip = 127.0.0.0/8

[ssh-iptables]
enabled  = true
filter   = sshd
action   = vesta[name=SSH]
logpath  = /var/log/auth.log
maxretry = 2

[vsftpd-iptables]
enabled  = true
filter   = vsftpd
action   = vesta[name=FTP]
logpath  = /var/log/vsftpd.log
maxretry = 2

[exim-iptables]
enabled = true
filter  = exim
action  = vesta[name=MAIL]
logpath = /var/log/exim4/mainlog
bantime = 86400
maxretry = 2

[dovecot-iptables]
enabled = true
filter  = dovecot
action  = vesta[name=MAIL]
logpath = /var/log/dovecot.log
bantime = 86400
maxretry = 2

[mysqld-iptables]
enabled  = false
filter   = mysqld-auth
action   = vesta[name=DB]
logpath  = /var/log/mysql.log
maxretry = 2

[vesta-iptables]
enabled = true
filter  = vesta
action  = vesta[name=VESTA]
logpath = /var/log/vesta/auth.log
maxretry = 2

[roundcube-auth]
enabled  = true
filter   = roundcube-auth
port     = http,https
logpath  = /var/log/roundcube/errors
maxretry = 3

I HAVE tested it against the dovecot.log however, none of the regex matches the issue I have (only 1 regex match over like 5000 entries). I am not a regex expert, however, after tons of research it SHOULD be matching unknown user by default, which you can see in last regex line in the filter. So what's going on here? Need help to prevent this issue. Seems others online have same problem and no one has a solution, but this doesn't make sense.

HenrysCat · Post by **HenrysCat** » Sun Feb 17, 2019 9:59 pm

Did you ever find a solution to this?

Elfy · Post by **Elfy** » Wed May 15, 2019 11:38 pm

Same issue for me, would love to know if you found a solution.

dsystem · Post by **dsystem** » Thu May 16, 2019 11:41 pm

Check this post

viewtopic.php?f=12&t=17902&sid=5635e8cf ... 89c#p77591

Nadayan · Post by **Nadayan** » Fri May 17, 2019 8:29 am

Yes, it should work, strange, really strange. Check the files, perhaps the problem is in them.

Zack · Post by **Zack** » Wed Dec 09, 2020 2:48 am

I found the same that certain things about fail2ban were working like the sshd, but not the dovecot protection. I ended up adding my own filter rules to the /etc/fail2ban/filters.d/dovecot.conf

Code: Select all

^%(__prefix_line)sauth: Info: passwd-file\(.*\,<HOST>\)\: (unknown user|Password mismatch)\s$
^%(__prefix_line)sauth: Info: plain\(.*\,<HOST>\)\: invalid input\s$
^%(__prefix_line)sauth: Info: login\(.*\,<HOST>\)\: Empty username\s$
^%(__prefix_line)sauth: Error: passwd-file\(.*\,<HOST>\)\: stat\(.*\) failed: No such file or directory\s$

Adding those four lines just below the existing regex's in there caused me to pick up bans.

You can test your filters by running this command;

Code: Select all

fail2ban-regex /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot.conf --print-all-missed

Before it will take effect, you need to stop and restart the fail2ban (doing a "restart" causes the command to hang - YMMV)

Code: Select all

service fail2ban stop
service fail2ban start

After the service is running again, you should be able to see hosts being banned (assuming you're getting attacked) by running:

Code: Select all

fail2ban-client status dovecot-iptables

Vesta Control Panel - Forum