Vesta Control Panel - Forum

Community Forum
https://forum.vestacp.com/

Fail2Ban not working for Dovecot?

https://forum.vestacp.com/viewtopic.php?f=10&t=16727

Page 1 of 1

Fail2Ban not working for Dovecot?

Posted: Fri Apr 20, 2018 12:36 am
by StopSpazzing
After fully researching this, I can only come to the conclusion that either fail2ban isnt working right or I'm blind.

The issue:

Code: Select all

Apr 17 12:57:19 auth: Info: passwd-file({{attempteduser}}@{{mydomain}},{{attackersip}}): unknown user
This appears in "spam" in dovecot log. I have confirmed that fail2ban is ON, WORKING, and banning other matches such as vestacp login failures. Using default filter from vestacp Fail2Ban install:

Code: Select all

# Fail2Ban filter Dovecot authentication and pop3/imap server
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (auth|dovecot(-auth)?|auth-worker)

failregex = ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
            ^%(__prefix_line)s(Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
            ^%(__prefix_line)s(auth|auth-worker\(\d+\)): (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$

ignoreregex =

[Init]

journalmatch = _SYSTEMD_UNIT=dovecot.service

# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly
# * Removed the 'no auth attempts' log lines from the matches because produces
#    lots of false positives on misconfigured MTAs making regexp unusable
#
# Author: Martin Waschbuesch
#         Daniel Black (rewrote with begin and end anchors)
I DO have dovecot filter enabled:

Code: Select all

[DEFAULT]
ignoreip = 127.0.0.0/8

[ssh-iptables]
enabled  = true
filter   = sshd
action   = vesta[name=SSH]
logpath  = /var/log/auth.log
maxretry = 2

[vsftpd-iptables]
enabled  = true
filter   = vsftpd
action   = vesta[name=FTP]
logpath  = /var/log/vsftpd.log
maxretry = 2

[exim-iptables]
enabled = true
filter  = exim
action  = vesta[name=MAIL]
logpath = /var/log/exim4/mainlog
bantime = 86400
maxretry = 2

[dovecot-iptables]
enabled = true
filter  = dovecot
action  = vesta[name=MAIL]
logpath = /var/log/dovecot.log
bantime = 86400
maxretry = 2

[mysqld-iptables]
enabled  = false
filter   = mysqld-auth
action   = vesta[name=DB]
logpath  = /var/log/mysql.log
maxretry = 2

[vesta-iptables]
enabled = true
filter  = vesta
action  = vesta[name=VESTA]
logpath = /var/log/vesta/auth.log
maxretry = 2

[roundcube-auth]
enabled  = true
filter   = roundcube-auth
port     = http,https
logpath  = /var/log/roundcube/errors
maxretry = 3
I HAVE tested it against the dovecot.log however, none of the regex matches the issue I have (only 1 regex match over like 5000 entries). I am not a regex expert, however, after tons of research it SHOULD be matching unknown user by default, which you can see in last regex line in the filter. So what's going on here? Need help to prevent this issue. Seems others online have same problem and no one has a solution, but this doesn't make sense.

Re: Fail2Ban not working for Dovecot?

Posted: Sun Feb 17, 2019 9:59 pm
by HenrysCat
Did you ever find a solution to this?

Re: Fail2Ban not working for Dovecot?

Posted: Wed May 15, 2019 11:38 pm
by Elfy
Same issue for me, would love to know if you found a solution.

Re: Fail2Ban not working for Dovecot?

Posted: Thu May 16, 2019 11:41 pm
by dsystem
Check this post

viewtopic.php?f=12&t=17902&sid=5635e8cf ... 89c#p77591

Re: Fail2Ban not working for Dovecot?

Posted: Fri May 17, 2019 8:29 am
by Nadayan
Yes, it should work, strange, really strange. Check the files, perhaps the problem is in them.

Re: Fail2Ban not working for Dovecot?

Posted: Wed Dec 09, 2020 2:48 am
by Zack
I found the same that certain things about fail2ban were working like the sshd, but not the dovecot protection. I ended up adding my own filter rules to the /etc/fail2ban/filters.d/dovecot.conf

Code: Select all

^%(__prefix_line)sauth: Info: passwd-file\(.*\,<HOST>\)\: (unknown user|Password mismatch)\s$
^%(__prefix_line)sauth: Info: plain\(.*\,<HOST>\)\: invalid input\s$
^%(__prefix_line)sauth: Info: login\(.*\,<HOST>\)\: Empty username\s$
^%(__prefix_line)sauth: Error: passwd-file\(.*\,<HOST>\)\: stat\(.*\) failed: No such file or directory\s$
Adding those four lines just below the existing regex's in there caused me to pick up bans.

You can test your filters by running this command;

Code: Select all

fail2ban-regex /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot.conf --print-all-missed
Before it will take effect, you need to stop and restart the fail2ban (doing a "restart" causes the command to hang - YMMV)

Code: Select all

service fail2ban stop
service fail2ban start
After the service is running again, you should be able to see hosts being banned (assuming you're getting attacked) by running:

Code: Select all

fail2ban-client status dovecot-iptables
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/