We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Fail2Ban not working for Dovecot?
-
- Posts: 9
- Joined: Sun Nov 12, 2017 6:18 am
Fail2Ban not working for Dovecot?
After fully researching this, I can only come to the conclusion that either fail2ban isnt working right or I'm blind.
The issue:
This appears in "spam" in dovecot log. I have confirmed that fail2ban is ON, WORKING, and banning other matches such as vestacp login failures. Using default filter from vestacp Fail2Ban install:
I DO have dovecot filter enabled:
I HAVE tested it against the dovecot.log however, none of the regex matches the issue I have (only 1 regex match over like 5000 entries). I am not a regex expert, however, after tons of research it SHOULD be matching unknown user by default, which you can see in last regex line in the filter. So what's going on here? Need help to prevent this issue. Seems others online have same problem and no one has a solution, but this doesn't make sense.
The issue:
Code: Select all
Apr 17 12:57:19 auth: Info: passwd-file({{attempteduser}}@{{mydomain}},{{attackersip}}): unknown user
Code: Select all
# Fail2Ban filter Dovecot authentication and pop3/imap server
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = (auth|dovecot(-auth)?|auth-worker)
failregex = ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
^%(__prefix_line)s(Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
^%(__prefix_line)s(auth|auth-worker\(\d+\)): (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
ignoreregex =
[Init]
journalmatch = _SYSTEMD_UNIT=dovecot.service
# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly
# * Removed the 'no auth attempts' log lines from the matches because produces
# lots of false positives on misconfigured MTAs making regexp unusable
#
# Author: Martin Waschbuesch
# Daniel Black (rewrote with begin and end anchors)
Code: Select all
[DEFAULT]
ignoreip = 127.0.0.0/8
[ssh-iptables]
enabled = true
filter = sshd
action = vesta[name=SSH]
logpath = /var/log/auth.log
maxretry = 2
[vsftpd-iptables]
enabled = true
filter = vsftpd
action = vesta[name=FTP]
logpath = /var/log/vsftpd.log
maxretry = 2
[exim-iptables]
enabled = true
filter = exim
action = vesta[name=MAIL]
logpath = /var/log/exim4/mainlog
bantime = 86400
maxretry = 2
[dovecot-iptables]
enabled = true
filter = dovecot
action = vesta[name=MAIL]
logpath = /var/log/dovecot.log
bantime = 86400
maxretry = 2
[mysqld-iptables]
enabled = false
filter = mysqld-auth
action = vesta[name=DB]
logpath = /var/log/mysql.log
maxretry = 2
[vesta-iptables]
enabled = true
filter = vesta
action = vesta[name=VESTA]
logpath = /var/log/vesta/auth.log
maxretry = 2
[roundcube-auth]
enabled = true
filter = roundcube-auth
port = http,https
logpath = /var/log/roundcube/errors
maxretry = 3
Re: Fail2Ban not working for Dovecot?
Did you ever find a solution to this?
Re: Fail2Ban not working for Dovecot?
Same issue for me, would love to know if you found a solution.
Re: Fail2Ban not working for Dovecot?
Yes, it should work, strange, really strange. Check the files, perhaps the problem is in them.
Re: Fail2Ban not working for Dovecot?
I found the same that certain things about fail2ban were working like the sshd, but not the dovecot protection. I ended up adding my own filter rules to the /etc/fail2ban/filters.d/dovecot.conf
Adding those four lines just below the existing regex's in there caused me to pick up bans.
You can test your filters by running this command;
Before it will take effect, you need to stop and restart the fail2ban (doing a "restart" causes the command to hang - YMMV)
After the service is running again, you should be able to see hosts being banned (assuming you're getting attacked) by running:
Code: Select all
^%(__prefix_line)sauth: Info: passwd-file\(.*\,<HOST>\)\: (unknown user|Password mismatch)\s$
^%(__prefix_line)sauth: Info: plain\(.*\,<HOST>\)\: invalid input\s$
^%(__prefix_line)sauth: Info: login\(.*\,<HOST>\)\: Empty username\s$
^%(__prefix_line)sauth: Error: passwd-file\(.*\,<HOST>\)\: stat\(.*\) failed: No such file or directory\s$
You can test your filters by running this command;
Code: Select all
fail2ban-regex /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot.conf --print-all-missed
Code: Select all
service fail2ban stop
service fail2ban start
Code: Select all
fail2ban-client status dovecot-iptables