Page 2 of 2

Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ

Posted: Mon Feb 18, 2019 11:54 am
by Felix
It seems that your fail2ban-regex program is facing issues. I can't be sure if your fail2ban installation (or fail2ban-regex executable) is damaged or there is something else going on.

Here is a sample output:

Code: Select all

Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/dovecot.conf
Use         log file : /var/log/dovecot.log


Results
=======

Failregex: 2 total
|-  #) [# of hits] regular expression
|   2) [2] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [5260] MONTH Day Hour:Minute:Second
`-

Lines: 5260 lines, 0 ignored, 2 matched, 5258 missed
Missed line(s):: too many to print.  Use --print-all-missed to print all 5258 lines
Notice the second to last line, where it says 2 matched. This means that the filter found 2 matches.

Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ

Posted: Mon Feb 18, 2019 10:11 pm
by HenrysCat
Oh that does not sound good, does it make a difference that SSH banning is working perfectly? or is that nothing to do with regex?

Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ

Posted: Mon Feb 18, 2019 10:53 pm
by HenrysCat
I have also noticed in fail2ban.log

Code: Select all

2019-02-18 22:44:12,091 fail2ban.filter         [3066]: INFO    [exim-iptables] Found 94.102.56.215
That is an attacking ip but it's never banned.

Running 'fail2ban-client -d | grep mail' gives

Code: Select all

['set', 'exim-iptables', 'addfailregex', '^(?: \\[\\d+\\])? SMTP call from \\S+ (?:H=([\\w.-]+ )?(?:\\(\\S+\\) )?)?\\[<HOST>\\](?::\\d+)?(?: I=\\[\\S+\\](:\\d+)?)?(?: U=\\S+)?(?: P=e?smtp)?(?: F=(?:<>|[^@]+@\\S+))?\\sdropped: too many nonmail commands \\(last was "\\S+"\\)\\s*$']

Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ

Posted: Wed Feb 20, 2019 10:21 am
by HenrysCat
Making progress now, I re-added the extra lines from your second post (I put them in the wrong place I think) to dovecot.conf & exim.conf files and some entries are getting banned but not all.
An example from log below gets banned

Code: Select all

2019-02-17 03:52:09 no host name found for IP address 94.102.56.215
2019-02-17 03:52:12 dovecot_login authenticator failed for (User) [94.102.56.215]: 535 Incorrect authentication data (set_id=camera@mydomain.com)
and this entry does not get banned

Code: Select all

2019-02-20 09:57:51 no host name found for IP address 185.234.218.38
2019-02-20 09:57:53 dovecot_login authenticator failed for (76.67.34.12) [185.234.218.38]: 535 Incorrect authentication data (set_id=grace)
Any ideas?