Page 1 of 2

Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ

Posted: Sun Aug 09, 2015 12:41 pm
by Felix
Fail2ban is installed (Ubuntu 14.04), active but it seems it does not ban clients trying to connect via IMAP. I did a test myself, trying to connect with IMAP but with wrong password, more than 10 times.

Code: Select all

iptables -S
shows no ban and of course I'm not prevented from trying again.


The contents of /etc/fail2ban/jail.local are the defaults

Code: Select all

[ssh-iptables]
enabled  = true
filter   = sshd
action   = vesta[name=SSH]
logpath  = /var/log/auth.log
maxretry = 5

[vsftpd-iptables]
enabled  = false
filter   = vsftpd
action   = vesta[name=FTP]
logpath  = /var/log/vsftpd.log
maxretry = 5

[exim-iptables]
enabled = true
filter  = exim
action  = vesta[name=MAIL]
logpath = /var/log/exim4/mainlog

[dovecot-iptables]
enabled = true
filter  = dovecot
action  = vesta[name=MAIL]
logpath = /var/log/dovecot.log

[mysqld-iptables]
enabled  = false
filter   = mysqld-auth
action   = vesta[name=DB]
logpath  = /var/log/mysql.log
maxretry = 5

[vesta-iptables]
enabled = true
filter  = vesta
action  = vesta[name=VESTA]
logpath = /var/log/vesta/auth.log
maxretry = 5
Any ideas what is wrong?

------------------------------
I also found out that authorization failures in exim wouldn't result in a ban.

Re: Fail2ban & Dovecot - No ban

Posted: Sun Aug 09, 2015 8:05 pm
by Felix
It seems the dovecot filter regex has errors.

In the filter file:

Code: Select all

/etc/fail2ban/filter.d/dovecot.conf
I added the correct regex I found at dovecot wiki. Now the filter file is exactly like this:

Code: Select all

# Fail2Ban filter Dovecot authentication and pop3/imap server
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (auth|dovecot(-auth)?|auth-worker)

failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
            ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
            (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*

ignoreregex = 

# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly
#
# Author: Martin Waschbuesch
#         Daniel Black (rewrote with begin and end anchors)
... and IT WORKS for both IMAP and POP3!!

Done with the help of regex101 :-)

Log file entry that MATCHES the regex:

Code: Select all

Aug 09 22:13:17 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<xx@x.com>, method=LOGIN, rip=8.8.8.8, lip=8.8.4.4, TLS: Disconnected, session=<w/3vqOUcaADU+2w5>
------------------------------------------------------------------------------
The fail2ban exim filter was also not working

Code: Select all

/etc/fail2ban/filter.d/exim.conf
After adding the following regex to the above file, fail2ban started working:

Code: Select all

\[<HOST>\]: 535 Incorrect authentication data
Here are the final contents of the file:

Code: Select all

# Fail2Ban filter for exim
#
# This includes the rejection messages of exim. For spam and filter
# related bans use the exim-spam.conf
#


[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# exim-common.local
before = exim-common.conf

[Definition]

failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
             ^%(pid)s (plain|login) authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
             ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
             ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
             ^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
             \[<HOST>\]: 535 Incorrect authentication data

ignoreregex = 

# DEV Notes:
# The %(host_info) defination contains a <HOST> match
#
# SMTP protocol synchronization error \([^)]*\)  <- This needs to be non-greedy
# to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is
# user injectable data.
#
# Author: Cyril Jaquier
#         Daniel Black (rewrote with strong regexs)

Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ

Posted: Thu Feb 18, 2016 10:24 am
by pandabb
Thanks this solve my problem too..

Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ

Posted: Fri Sep 30, 2016 3:25 am
by KhaoMaNee
Was just wondering why fail2ban was only banning SSH brute force when the otherr services have issues too. Followed your info and fixed it, thanks a lot!

Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ

Posted: Mon Feb 27, 2017 11:33 am
by MAN5
Me too, just realized this issue,
Im seeing lot of Dovecot failed logins / exim panic log / all shows lot of unknown email attempts.
Realized that, the VESTACP's jail.local config dont have the 'maxretry = 5' for '[exim-iptables]' & [dovecot-iptables].

I dont know what is the actual reason VESTA team has for this missed out row.
But, once i added those into my jail.local config, all fine now.

Reff: https://github.com/serghey-rodin/vesta/ ... jail.local

Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ

Posted: Mon Oct 09, 2017 1:26 pm
by MiguelVESTACP
Why they dont fix this bugs in a new version?

Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ

Posted: Mon Nov 05, 2018 9:19 am
by Bubblecatcher
Is this edit still needed?

thanks

Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ

Posted: Sun Feb 17, 2019 8:08 am
by HenrysCat
I have added the above to my config files but still get the below in exim mail.log

Code: Select all

2019-02-17 08:02:07 dovecot_login authenticator failed for (User) [94.152.56.115]: 535 Incorrect authentication data (set_id=accounts@mydomian.com)
My dovecot.conf looks like

Code: Select all

# Fail2Ban filter Dovecot authentication and pop3/imap server
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (auth|dovecot(-auth)?|auth-worker)

failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
            ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
            ^%(__prefix_line)s(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
            ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
            ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$

ignoreregex = 

[Init]

journalmatch = _SYSTEMD_UNIT=dovecot.service

# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016)
# * Removed the 'no auth attempts' log lines from the matches because produces
#    lots of false positives on misconfigured MTAs making regexp unusable
#
# Author: Martin Waschbuesch
#         Daniel Black (rewrote with begin and end anchors)
#         Martin O'Neal (added LDAP authentication failure regex)
#         Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility)
and exim.conf

Code: Select all

# Fail2Ban filter for exim
#
# This includes the rejection messages of exim. For spam and filter
# related bans use the exim-spam.conf
#


[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# exim-common.local
before = exim-common.conf

[Definition]

failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
            ^%(pid)s \w+ authenticator failed for (?:[^\[\( ]* )?(?:\(\S*\) )?\[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
            ^%(pid)s %(host_info)srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$
            ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$
            ^%(pid)s SMTP call from \S+ %(host_info)sdropped: too many nonmail commands \(last was "\S+"\)\s*$
            ^%(pid)s SMTP protocol error in "AUTH \S*(?: \S*)?" %(host_info)sAUTH command used when not advertised\s*$
            ^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S+s(?: C=\S*)?\s*$
            ^%(pid)s (?:[\w\-]+ )?SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$
            \[<HOST>\]: 535 Incorrect authentication data

ignoreregex = 

# DEV Notes:
# The %(host_info) defination contains a <HOST> match
#
# SMTP protocol synchronization error \([^)]*\)  <- This needs to be non-greedy
# to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is
# user injectable data.
#
# Author: Cyril Jaquier
#         Daniel Black (rewrote with strong regexs)
#         Martin O'Neal (added additional regexs to detect authentication failures, protocol errors, and drops)
But failed log in attempts are never blocked, any ideas?

Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ

Posted: Sun Feb 17, 2019 11:53 pm
by Felix
HenrysCat wrote:
Sun Feb 17, 2019 8:08 am
I have added the above to my config files but still get the below in exim mail.log
...
But failed log in attempts are never blocked, any ideas?
I see you're using CentOS. I haven't tested the config I proposed against that OS, so I can only give you generic advice, like:
  • Make sure that the path and name of the log file are correctly set in fail2ban conf
  • Make sure that fail2ban can read the log file (permissions)
  • Use fail2ban-regex command to check
Unfortunately I can't test/replicate, because I've moved the hosting of emails outside of VESTA.

Re: Fail2ban problem Dovecot exim - RESOLVED - DEVS SEE THIS PLZ

Posted: Mon Feb 18, 2019 7:28 am
by HenrysCat
Thank you Felx, I have run fail2ban-regex result below

Code: Select all

[root@server1 ~]# fail2ban-regex /var/log/dovecot.log etc/fail2ban/filter.d/dovecot.conf

Running tests
=============

Use   failregex line : etc/fail2ban/filter.d/dovecot.conf
Traceback (most recent call last):
  File "/usr/bin/fail2ban-regex", line 34, in <module>
    exec_command_line()
  File "/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 598, in exec_command_line
    if not fail2banRegex.start(opts, args):
  File "/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 501, in start
    if not self.readRegex(cmd_regex, 'fail'):
  File "/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 322, in readRegex
    'add%sRegex' % regextype.title())(regex.getFailRegex())
  File "/usr/lib/python2.7/site-packages/fail2ban/server/filter.py", line 113, in addFailRegex
    raise e
fail2ban.server.failregex.RegexException: No 'host' group in 'etc/fail2ban/filter.d/dovecot.conf'
[root@server1 ~]# 
Now I'm lost, is that good or bad? I see 'fail' in there.

Also in var/log/exim/main.log I see lots of entries as below.

Code: Select all

no host name found for IP address xx.xxx.xx.xxx
(xx.xxx.xx.xxx = attacking ip address)

Could that make a difference?