Fail2Ban not working for Dovecot?
Posted: Fri Apr 20, 2018 12:36 am
After fully researching this, I can only come to the conclusion that either fail2ban isnt working right or I'm blind.
The issue:
This appears in "spam" in dovecot log. I have confirmed that fail2ban is ON, WORKING, and banning other matches such as vestacp login failures. Using default filter from vestacp Fail2Ban install:
I DO have dovecot filter enabled:
I HAVE tested it against the dovecot.log however, none of the regex matches the issue I have (only 1 regex match over like 5000 entries). I am not a regex expert, however, after tons of research it SHOULD be matching unknown user by default, which you can see in last regex line in the filter. So what's going on here? Need help to prevent this issue. Seems others online have same problem and no one has a solution, but this doesn't make sense.
The issue:
Code: Select all
Apr 17 12:57:19 auth: Info: passwd-file({{attempteduser}}@{{mydomain}},{{attackersip}}): unknown user
Code: Select all
# Fail2Ban filter Dovecot authentication and pop3/imap server
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = (auth|dovecot(-auth)?|auth-worker)
failregex = ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
^%(__prefix_line)s(Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
^%(__prefix_line)s(auth|auth-worker\(\d+\)): (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
ignoreregex =
[Init]
journalmatch = _SYSTEMD_UNIT=dovecot.service
# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly
# * Removed the 'no auth attempts' log lines from the matches because produces
# lots of false positives on misconfigured MTAs making regexp unusable
#
# Author: Martin Waschbuesch
# Daniel Black (rewrote with begin and end anchors)
Code: Select all
[DEFAULT]
ignoreip = 127.0.0.0/8
[ssh-iptables]
enabled = true
filter = sshd
action = vesta[name=SSH]
logpath = /var/log/auth.log
maxretry = 2
[vsftpd-iptables]
enabled = true
filter = vsftpd
action = vesta[name=FTP]
logpath = /var/log/vsftpd.log
maxretry = 2
[exim-iptables]
enabled = true
filter = exim
action = vesta[name=MAIL]
logpath = /var/log/exim4/mainlog
bantime = 86400
maxretry = 2
[dovecot-iptables]
enabled = true
filter = dovecot
action = vesta[name=MAIL]
logpath = /var/log/dovecot.log
bantime = 86400
maxretry = 2
[mysqld-iptables]
enabled = false
filter = mysqld-auth
action = vesta[name=DB]
logpath = /var/log/mysql.log
maxretry = 2
[vesta-iptables]
enabled = true
filter = vesta
action = vesta[name=VESTA]
logpath = /var/log/vesta/auth.log
maxretry = 2
[roundcube-auth]
enabled = true
filter = roundcube-auth
port = http,https
logpath = /var/log/roundcube/errors
maxretry = 3