Page 1 of 1

Fail2Ban not working for Dovecot?

Posted: Fri Apr 20, 2018 12:36 am
by StopSpazzing
After fully researching this, I can only come to the conclusion that either fail2ban isnt working right or I'm blind.

The issue:

Code: Select all

Apr 17 12:57:19 auth: Info: passwd-file({{attempteduser}}@{{mydomain}},{{attackersip}}): unknown user
This appears in "spam" in dovecot log. I have confirmed that fail2ban is ON, WORKING, and banning other matches such as vestacp login failures. Using default filter from vestacp Fail2Ban install:

Code: Select all

# Fail2Ban filter Dovecot authentication and pop3/imap server
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (auth|dovecot(-auth)?|auth-worker)

failregex = ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
            ^%(__prefix_line)s(Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
            ^%(__prefix_line)s(auth|auth-worker\(\d+\)): (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$

ignoreregex =

[Init]

journalmatch = _SYSTEMD_UNIT=dovecot.service

# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly
# * Removed the 'no auth attempts' log lines from the matches because produces
#    lots of false positives on misconfigured MTAs making regexp unusable
#
# Author: Martin Waschbuesch
#         Daniel Black (rewrote with begin and end anchors)
I DO have dovecot filter enabled:

Code: Select all

[DEFAULT]
ignoreip = 127.0.0.0/8

[ssh-iptables]
enabled  = true
filter   = sshd
action   = vesta[name=SSH]
logpath  = /var/log/auth.log
maxretry = 2

[vsftpd-iptables]
enabled  = true
filter   = vsftpd
action   = vesta[name=FTP]
logpath  = /var/log/vsftpd.log
maxretry = 2

[exim-iptables]
enabled = true
filter  = exim
action  = vesta[name=MAIL]
logpath = /var/log/exim4/mainlog
bantime = 86400
maxretry = 2

[dovecot-iptables]
enabled = true
filter  = dovecot
action  = vesta[name=MAIL]
logpath = /var/log/dovecot.log
bantime = 86400
maxretry = 2

[mysqld-iptables]
enabled  = false
filter   = mysqld-auth
action   = vesta[name=DB]
logpath  = /var/log/mysql.log
maxretry = 2

[vesta-iptables]
enabled = true
filter  = vesta
action  = vesta[name=VESTA]
logpath = /var/log/vesta/auth.log
maxretry = 2

[roundcube-auth]
enabled  = true
filter   = roundcube-auth
port     = http,https
logpath  = /var/log/roundcube/errors
maxretry = 3
I HAVE tested it against the dovecot.log however, none of the regex matches the issue I have (only 1 regex match over like 5000 entries). I am not a regex expert, however, after tons of research it SHOULD be matching unknown user by default, which you can see in last regex line in the filter. So what's going on here? Need help to prevent this issue. Seems others online have same problem and no one has a solution, but this doesn't make sense.

Re: Fail2Ban not working for Dovecot?

Posted: Sun Feb 17, 2019 9:59 pm
by HenrysCat
Did you ever find a solution to this?

Re: Fail2Ban not working for Dovecot?

Posted: Wed May 15, 2019 11:38 pm
by Elfy
Same issue for me, would love to know if you found a solution.

Re: Fail2Ban not working for Dovecot?

Posted: Thu May 16, 2019 11:41 pm
by dsystem

Re: Fail2Ban not working for Dovecot?

Posted: Fri May 17, 2019 8:29 am
by Nadayan
Yes, it should work, strange, really strange. Check the files, perhaps the problem is in them.