Page 1 of 2
Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ
Posted: Sun Aug 09, 2015 12:41 pm
by Felix
Fail2ban is installed (Ubuntu 14.04), active but it seems it does not ban clients trying to connect via IMAP. I did a test myself, trying to connect with IMAP but with wrong password, more than 10 times.
shows no ban and of course I'm not prevented from trying again.
The contents of /etc/fail2ban/jail.local are the defaults
Code: Select all
[ssh-iptables]
enabled = true
filter = sshd
action = vesta[name=SSH]
logpath = /var/log/auth.log
maxretry = 5
[vsftpd-iptables]
enabled = false
filter = vsftpd
action = vesta[name=FTP]
logpath = /var/log/vsftpd.log
maxretry = 5
[exim-iptables]
enabled = true
filter = exim
action = vesta[name=MAIL]
logpath = /var/log/exim4/mainlog
[dovecot-iptables]
enabled = true
filter = dovecot
action = vesta[name=MAIL]
logpath = /var/log/dovecot.log
[mysqld-iptables]
enabled = false
filter = mysqld-auth
action = vesta[name=DB]
logpath = /var/log/mysql.log
maxretry = 5
[vesta-iptables]
enabled = true
filter = vesta
action = vesta[name=VESTA]
logpath = /var/log/vesta/auth.log
maxretry = 5
Any ideas what is wrong?
------------------------------
I also found out that authorization failures in exim wouldn't result in a ban.
Re: Fail2ban & Dovecot - No ban
Posted: Sun Aug 09, 2015 8:05 pm
by Felix
It seems the dovecot filter regex has errors.
In the filter file:
Code: Select all
/etc/fail2ban/filter.d/dovecot.conf
I added the correct regex I found at
dovecot wiki. Now the filter file is exactly like this:
Code: Select all
# Fail2Ban filter Dovecot authentication and pop3/imap server
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = (auth|dovecot(-auth)?|auth-worker)
failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
(?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly
#
# Author: Martin Waschbuesch
# Daniel Black (rewrote with begin and end anchors)
... and
IT WORKS for both IMAP and POP3!!
Done with the help of
regex101 :-)
Log file entry that MATCHES the regex:
Code: Select all
Aug 09 22:13:17 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<[email protected]>, method=LOGIN, rip=8.8.8.8, lip=8.8.4.4, TLS: Disconnected, session=<w/3vqOUcaADU+2w5>
------------------------------------------------------------------------------
The fail2ban exim filter was also not working
After adding the following regex to the above file, fail2ban started working:
Code: Select all
\[<HOST>\]: 535 Incorrect authentication data
Here are the final contents of the file:
Code: Select all
# Fail2Ban filter for exim
#
# This includes the rejection messages of exim. For spam and filter
# related bans use the exim-spam.conf
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# exim-common.local
before = exim-common.conf
[Definition]
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
^%(pid)s (plain|login) authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
\[<HOST>\]: 535 Incorrect authentication data
ignoreregex =
# DEV Notes:
# The %(host_info) defination contains a <HOST> match
#
# SMTP protocol synchronization error \([^)]*\) <- This needs to be non-greedy
# to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is
# user injectable data.
#
# Author: Cyril Jaquier
# Daniel Black (rewrote with strong regexs)
Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ
Posted: Thu Feb 18, 2016 10:24 am
by pandabb
Thanks this solve my problem too..
Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ
Posted: Fri Sep 30, 2016 3:25 am
by KhaoMaNee
Was just wondering why fail2ban was only banning SSH brute force when the otherr services have issues too. Followed your info and fixed it, thanks a lot!
Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ
Posted: Mon Feb 27, 2017 11:33 am
by MAN5
Me too, just realized this issue,
Im seeing lot of Dovecot failed logins / exim panic log / all shows lot of unknown email attempts.
Realized that, the VESTACP's jail.local config dont have the 'maxretry = 5' for '[exim-iptables]' & [dovecot-iptables].
I dont know what is the actual reason VESTA team has for this missed out row.
But, once i added those into my jail.local config, all fine now.
Reff:
https://github.com/serghey-rodin/vesta/ ... jail.local
Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ
Posted: Mon Oct 09, 2017 1:26 pm
by MiguelVESTACP
Why they dont fix this bugs in a new version?
Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ
Posted: Mon Nov 05, 2018 9:19 am
by Bubblecatcher
Is this edit still needed?
thanks
Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ
Posted: Sun Feb 17, 2019 8:08 am
by HenrysCat
I have added the above to my config files but still get the below in exim mail.log
Code: Select all
2019-02-17 08:02:07 dovecot_login authenticator failed for (User) [94.152.56.115]: 535 Incorrect authentication data ([email protected])
My dovecot.conf looks like
Code: Select all
# Fail2Ban filter Dovecot authentication and pop3/imap server
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = (auth|dovecot(-auth)?|auth-worker)
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
^%(__prefix_line)s(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
ignoreregex =
[Init]
journalmatch = _SYSTEMD_UNIT=dovecot.service
# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016)
# * Removed the 'no auth attempts' log lines from the matches because produces
# lots of false positives on misconfigured MTAs making regexp unusable
#
# Author: Martin Waschbuesch
# Daniel Black (rewrote with begin and end anchors)
# Martin O'Neal (added LDAP authentication failure regex)
# Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility)
and exim.conf
Code: Select all
# Fail2Ban filter for exim
#
# This includes the rejection messages of exim. For spam and filter
# related bans use the exim-spam.conf
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# exim-common.local
before = exim-common.conf
[Definition]
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
^%(pid)s \w+ authenticator failed for (?:[^\[\( ]* )?(?:\(\S*\) )?\[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
^%(pid)s %(host_info)srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$
^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$
^%(pid)s SMTP call from \S+ %(host_info)sdropped: too many nonmail commands \(last was "\S+"\)\s*$
^%(pid)s SMTP protocol error in "AUTH \S*(?: \S*)?" %(host_info)sAUTH command used when not advertised\s*$
^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S+s(?: C=\S*)?\s*$
^%(pid)s (?:[\w\-]+ )?SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$
\[<HOST>\]: 535 Incorrect authentication data
ignoreregex =
# DEV Notes:
# The %(host_info) defination contains a <HOST> match
#
# SMTP protocol synchronization error \([^)]*\) <- This needs to be non-greedy
# to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is
# user injectable data.
#
# Author: Cyril Jaquier
# Daniel Black (rewrote with strong regexs)
# Martin O'Neal (added additional regexs to detect authentication failures, protocol errors, and drops)
But failed log in attempts are never blocked, any ideas?
Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ
Posted: Sun Feb 17, 2019 11:53 pm
by Felix
HenrysCat wrote: ↑Sun Feb 17, 2019 8:08 am
I have added the above to my config files but still get the below in exim mail.log
...
But failed log in attempts are never blocked, any ideas?
I see you're using CentOS. I haven't tested the config I proposed against that OS, so I can only give you generic advice, like:
- Make sure that the path and name of the log file are correctly set in fail2ban conf
- Make sure that fail2ban can read the log file (permissions)
- Use fail2ban-regex command to check
Unfortunately I can't test/replicate, because I've moved the hosting of emails outside of VESTA.
Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ
Posted: Mon Feb 18, 2019 7:28 am
by HenrysCat
Thank you Felx, I have run fail2ban-regex result below
Code: Select all
[root@server1 ~]# fail2ban-regex /var/log/dovecot.log etc/fail2ban/filter.d/dovecot.conf
Running tests
=============
Use failregex line : etc/fail2ban/filter.d/dovecot.conf
Traceback (most recent call last):
File "/usr/bin/fail2ban-regex", line 34, in <module>
exec_command_line()
File "/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 598, in exec_command_line
if not fail2banRegex.start(opts, args):
File "/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 501, in start
if not self.readRegex(cmd_regex, 'fail'):
File "/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 322, in readRegex
'add%sRegex' % regextype.title())(regex.getFailRegex())
File "/usr/lib/python2.7/site-packages/fail2ban/server/filter.py", line 113, in addFailRegex
raise e
fail2ban.server.failregex.RegexException: No 'host' group in 'etc/fail2ban/filter.d/dovecot.conf'
[root@server1 ~]#
Now I'm lost, is that good or bad? I see 'fail' in there.
Also in var/log/exim/main.log I see lots of entries as below.
Code: Select all
no host name found for IP address xx.xxx.xx.xxx
(xx.xxx.xx.xxx = attacking ip address)
Could that make a difference?