We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ
Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ
It seems that your fail2ban-regex program is facing issues. I can't be sure if your fail2ban installation (or fail2ban-regex executable) is damaged or there is something else going on.
Here is a sample output:
Notice the second to last line, where it says 2 matched. This means that the filter found 2 matches.
Here is a sample output:
Code: Select all
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/dovecot.conf
Use log file : /var/log/dovecot.log
Results
=======
Failregex: 2 total
|- #) [# of hits] regular expression
| 2) [2] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [5260] MONTH Day Hour:Minute:Second
`-
Lines: 5260 lines, 0 ignored, 2 matched, 5258 missed
Missed line(s):: too many to print. Use --print-all-missed to print all 5258 lines
Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ
Oh that does not sound good, does it make a difference that SSH banning is working perfectly? or is that nothing to do with regex?
Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ
I have also noticed in fail2ban.log
That is an attacking ip but it's never banned.
Running 'fail2ban-client -d | grep mail' gives
Code: Select all
2019-02-18 22:44:12,091 fail2ban.filter [3066]: INFO [exim-iptables] Found 94.102.56.215
Running 'fail2ban-client -d | grep mail' gives
Code: Select all
['set', 'exim-iptables', 'addfailregex', '^(?: \\[\\d+\\])? SMTP call from \\S+ (?:H=([\\w.-]+ )?(?:\\(\\S+\\) )?)?\\[<HOST>\\](?::\\d+)?(?: I=\\[\\S+\\](:\\d+)?)?(?: U=\\S+)?(?: P=e?smtp)?(?: F=(?:<>|[^@]+@\\S+))?\\sdropped: too many nonmail commands \\(last was "\\S+"\\)\\s*$']
Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ
Making progress now, I re-added the extra lines from your second post (I put them in the wrong place I think) to dovecot.conf & exim.conf files and some entries are getting banned but not all.
An example from log below gets banned
and this entry does not get banned
Any ideas?
An example from log below gets banned
Code: Select all
2019-02-17 03:52:09 no host name found for IP address 94.102.56.215
2019-02-17 03:52:12 dovecot_login authenticator failed for (User) [94.102.56.215]: 535 Incorrect authentication data ([email protected])
Code: Select all
2019-02-20 09:57:51 no host name found for IP address 185.234.218.38
2019-02-20 09:57:53 dovecot_login authenticator failed for (76.67.34.12) [185.234.218.38]: 535 Incorrect authentication data (set_id=grace)
Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ
This is a syntax error if your actual dir is not / (root)HenrysCat wrote: ↑Mon Feb 18, 2019 7:28 amThank you Felx, I have run fail2ban-regex result below
Now I'm lost, is that good or bad? I see 'fail' in there.Code: Select all
[root@server1 ~]# fail2ban-regex /var/log/dovecot.log etc/fail2ban/filter.d/dovecot.conf Running tests ============= Use failregex line : etc/fail2ban/filter.d/dovecot.conf Traceback (most recent call last): File "/usr/bin/fail2ban-regex", line 34, in <module> exec_command_line() File "/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 598, in exec_command_line if not fail2banRegex.start(opts, args): File "/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 501, in start if not self.readRegex(cmd_regex, 'fail'): File "/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 322, in readRegex 'add%sRegex' % regextype.title())(regex.getFailRegex()) File "/usr/lib/python2.7/site-packages/fail2ban/server/filter.py", line 113, in addFailRegex raise e fail2ban.server.failregex.RegexException: No 'host' group in 'etc/fail2ban/filter.d/dovecot.conf' [root@server1 ~]#
Also in var/log/exim/main.log I see lots of entries as below.
(xx.xxx.xx.xxx = attacking ip address)Code: Select all
no host name found for IP address xx.xxx.xx.xxx
Could that make a difference?
This may work:
Code: Select all
fail2ban-regex /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot.conf